Re: mod_auth_ldap and mod_auth interaction
Thanks Brad, I'll switch it off stop poking at the code. Cheers, Duncan At 21:53 01/12/2004, you wrote: The short answer is that it is already fixed in Apache 2.1/2.2. Unfortunately you have hit on one of the limitations of the Apache 2.0 authentication module structure. The problem is that authorization types are replicated through multiple authentication modules. Fortunately this has all been taken care of in Apache 2.1/2.2. For example, in the Apache 2.1/2.2 version of mod_authnz_ldap, the authorization types are no longer user, group, etc., they are ldap-user, ldap-group, etc. You can also mix and match different types of authorization with authentication. The quick fix for Apache 2.0 is to set AuthAuthoritative off so that if the mod_auth authorization fails, it will defer to mod_auth_ldap which will work. Brad [EMAIL PROTECTED] Tuesday, November 30, 2004 5:35:29 AM Sorry if this belongs in the users group, it's a query, but a query about the working of the code. I've filed a bug (32426) but am trying to fix it myself. What I've found is that if user_is_dn is set (AuthLDAPRemoteUserIsDN in an .htaccess file) then mod_auth_ldap sets r-user to be the users dn, not the user uid authenticated as. util_script.c uses this value to set REMOTE_USER (Good, all is well :) but.. mod_auth.c users this value to check the require(d) user and of course fails as the list of users is a list of uid's mod_auth_ldap has it's own require ( user | group | valid-user) checks. These are used for require group successfully but not require user. Is there a way to get information such as req-user or user_is_dn back into mod_auth? I'm guessing not easily you don't really want to mess with mod_auth. Or get mod_auth to use mod_auth_ldaps' auth_checker for require user as is does for require group which I think is the correct solution. Hoping someone familiar with the code can save me some time. Cheers, Duncan
Re: mod_auth_ldap and mod_auth interaction
The short answer is that it is already fixed in Apache 2.1/2.2. Unfortunately you have hit on one of the limitations of the Apache 2.0 authentication module structure. The problem is that authorization types are replicated through multiple authentication modules. Fortunately this has all been taken care of in Apache 2.1/2.2. For example, in the Apache 2.1/2.2 version of mod_authnz_ldap, the authorization types are no longer user, group, etc., they are ldap-user, ldap-group, etc. You can also mix and match different types of authorization with authentication. The quick fix for Apache 2.0 is to set AuthAuthoritative off so that if the mod_auth authorization fails, it will defer to mod_auth_ldap which will work. Brad [EMAIL PROTECTED] Tuesday, November 30, 2004 5:35:29 AM Sorry if this belongs in the users group, it's a query, but a query about the working of the code. I've filed a bug (32426) but am trying to fix it myself. What I've found is that if user_is_dn is set (AuthLDAPRemoteUserIsDN in an .htaccess file) then mod_auth_ldap sets r-user to be the users dn, not the user uid authenticated as. util_script.c uses this value to set REMOTE_USER (Good, all is well :) but.. mod_auth.c users this value to check the require(d) user and of course fails as the list of users is a list of uid's mod_auth_ldap has it's own require ( user | group | valid-user) checks. These are used for require group successfully but not require user. Is there a way to get information such as req-user or user_is_dn back into mod_auth? I'm guessing not easily you don't really want to mess with mod_auth. Or get mod_auth to use mod_auth_ldaps' auth_checker for require user as is does for require group which I think is the correct solution. Hoping someone familiar with the code can save me some time. Cheers, Duncan
mod_auth_ldap and mod_auth interaction
Sorry if this belongs in the users group, it's a query, but a query about the working of the code. I've filed a bug (32426) but am trying to fix it myself. What I've found is that if user_is_dn is set (AuthLDAPRemoteUserIsDN in an .htaccess file) then mod_auth_ldap sets r-user to be the users dn, not the user uid authenticated as. util_script.c uses this value to set REMOTE_USER (Good, all is well :) but.. mod_auth.c users this value to check the require(d) user and of course fails as the list of users is a list of uid's mod_auth_ldap has it's own require ( user | group | valid-user) checks. These are used for require group successfully but not require user. Is there a way to get information such as req-user or user_is_dn back into mod_auth? I'm guessing not easily you don't really want to mess with mod_auth. Or get mod_auth to use mod_auth_ldaps' auth_checker for require user as is does for require group which I think is the correct solution. Hoping someone familiar with the code can save me some time. Cheers, Duncan