Re: [EMAIL PROTECTED] Require ldap-group directive issue in Apache 2.2
On 11/7/06, Christophe Gravier [EMAIL PROTECTED] wrote:
Hello,
Nobody is using ldap based authentication and authorization, based on
group ?
Your configuration looks identical to mine, except my group
memberships are based on 'member' instead of 'uniquemember' -- but
they're the 2 values tried by apache by default.
You'd probably learn an immense amount of info by looking at an IP
trace between Apache and LDAP formatted by wireshark/ethereal.
Another interesting thing if you're linked against openldap and have
mysterious errors is to turn on debugging in the LDAP library, which
will be dumped to the errorlog. I've been unlucky getting any
environment variable or openldap config file to affect things, but you
can add the following to the util_ldap.c post-config hook:
+{
+int LDAP_DEBUG_LEVEL = -1;
+ldap_set_option(NULL , LDAP_OPT_DEBUG_LEVEL, (LDAP_DEBUG_LEVEL));
+}
--
Eric Covener
[EMAIL PROTECTED]
-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Require ldap-group directive issue in Apache 2.2
On Mon, 6 Nov 2006, Christophe Gravier wrote: Hello, Regarding new Apache 2.2 authentification and authorization layers, especially ldap-group ( http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqgroup ), I wanted to build authentification and authorization based on ldap group membership. I build my directive the same way as those man pages, that means: Location /DevDSI_trac SetEnv TRAC_ENV /var/trac/DevDSI AuthType Basic AuthName DevDSI trac AuthBasicProvider ldap AuthLDAPURL ldap://ist-guizay.univ-st-etienne.fr:389/ou=person,o=istase,c=fr?uid?sub?(objectClass=*) require ldap-group cn=satin,ou=groups,o=istase,c=fr /Location Thank you in advance, Regards. -- Christophe Gravier Laboratoire DIOM, équipe SATIn - Doctorant http://portail-istase.univ-st-etienne.fr/diom/FRA/Satin.php I had trouble with LDAP Groups when using Active Directory but I think it is a symptom of my AD service. I did hqave success with ldap-filter which I could use to query an attribute of the uid returned from LDAP (sAMAccountNAme). require ldap-filter (memberOf=G4570) This works for me as the group affiliations are mostly described as attributes in (our) AD. Mon aéroglisseur est plein d'anguilles John P. Dodge Boeing Shared Services - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Require ldap-group directive issue in Apache 2.2
Hello,
Nobody is using ldap based authentication and authorization, based on
group ?
I mean I am testing it for some days and I can't figure out the problem.
I really think I'm compliant with the 2.2 doc (for example require
ldap-user is working and I don't much difference with require ldap-group
...)
Does anybody succeeded in building such a configuration ?
If nobody did, I'll fill a bug report ... (Which is not necessary if
someone ever succeed ;-)).
Thank you in advance,
Best Regards,
Christophe Gravier a écrit :
Hello,
Regarding new Apache 2.2 authentification and authorization layers,
especially ldap-group (
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqgroup ),
I wanted to build authentification and authorization based on ldap
group membership.
I build my directive the same way as those man pages, that means:
Location /DevDSI_trac
SetEnv TRAC_ENV /var/trac/DevDSI
AuthType Basic
AuthName DevDSI trac
AuthBasicProvider ldap
AuthLDAPURL
ldap://ist-guizay.univ-st-etienne.fr:389/ou=person,o=istase,c=fr?uid?sub?(objectClass=*)
require ldap-group cn=satin,ou=groups,o=istase,c=fr
/Location
This is not working. I did check that ldap-group contains no typo.
AuthLDAPURL is ok since I can make it my identification working with
require ldap-user directive.
I also make it working by setting AuthzLDAPAuthoritative to off for
require valid-user directive (but this is not ldap group based
authorization of course).
Moreover, my group is declared as follow in my openldap directory:
dn: cn=satin,ou=groups,o=istase,c=fr
objectClass: groupOfUniqueNames
uniqueMember: uid=gravier.christophe,ou=person,o=istase,c=fr
uniqueMember: etc
So, when I try to log in the web area, I receive a 401 Authorization
required. There's no trace in error log (I got a trace if I enter a
bad password though).
This means I successfully go through auth type and authentication
layers but not through authorization (but no error message in
error.log !).
My loaded modules are:
ls -l /etc/apache2/mods-enabled/ | awk '{print $8}'
alias.load, auth_basic.load, authn_file.load, authnz_ldap.load,
authz_host.load, authz_owner.load, authz_user.load, autoindex.load,
cgi.load, dav.load, dav_svn.load, dir.load, env.load, ldap.load,
mime.load, negotiation.load, php4.conf, php4.load, status.load
I think I understand the new architecture well because I clearly made
ldap-user and valid-user without ldap authoritative working. But
there's something for ldap-group I can't figure out for a couple of
days; that's why I decided to ask on this mailing list.
Does anyone have an idea please on my configuration ? I can post info
if needed
Or at least, does anyone have a configuration working with ldap based
on groups ?
Thank you in advance,
Regards.
--
Christophe Gravier
Laboratoire DIOM, équipe SATIn - Doctorant
http://portail-istase.univ-st-etienne.fr/diom/FRA/Satin.php
ISTASE - Ingénieur d'études http://www.istase.com
Perso: http://portail-istase.univ-st-etienne.fr/diom/public/cgravier/
-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Require ldap-group directive issue in Apache 2.2
Hello,
Regarding new Apache 2.2 authentification and authorization layers,
especially ldap-group (
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqgroup ), I
wanted to build authentification and authorization based on ldap group
membership.
I build my directive the same way as those man pages, that means:
Location /DevDSI_trac
SetEnv TRAC_ENV /var/trac/DevDSI
AuthType Basic
AuthName DevDSI trac
AuthBasicProvider ldap
AuthLDAPURL
ldap://ist-guizay.univ-st-etienne.fr:389/ou=person,o=istase,c=fr?uid?sub?(objectClass=*)
require ldap-group cn=satin,ou=groups,o=istase,c=fr
/Location
This is not working. I did check that ldap-group contains no typo.
AuthLDAPURL is ok since I can make it my identification working with
require ldap-user directive.
I also make it working by setting AuthzLDAPAuthoritative to off for
require valid-user directive (but this is not ldap group based
authorization of course).
Moreover, my group is declared as follow in my openldap directory:
dn: cn=satin,ou=groups,o=istase,c=fr
objectClass: groupOfUniqueNames
uniqueMember: uid=gravier.christophe,ou=person,o=istase,c=fr
uniqueMember: etc
So, when I try to log in the web area, I receive a 401 Authorization
required. There's no trace in error log (I got a trace if I enter a bad
password though).
This means I successfully go through auth type and authentication layers
but not through authorization (but no error message in error.log !).
My loaded modules are:
ls -l /etc/apache2/mods-enabled/ | awk '{print $8}'
alias.load, auth_basic.load, authn_file.load, authnz_ldap.load,
authz_host.load, authz_owner.load, authz_user.load, autoindex.load,
cgi.load, dav.load, dav_svn.load, dir.load, env.load, ldap.load,
mime.load, negotiation.load, php4.conf, php4.load, status.load
I think I understand the new architecture well because I clearly made
ldap-user and valid-user without ldap authoritative working. But
there's something for ldap-group I can't figure out for a couple of
days; that's why I decided to ask on this mailing list.
Does anyone have an idea please on my configuration ? I can post info if
needed
Or at least, does anyone have a configuration working with ldap based on
groups ?
Thank you in advance,
Regards.
--
Christophe Gravier
Laboratoire DIOM, équipe SATIn - Doctorant
http://portail-istase.univ-st-etienne.fr/diom/FRA/Satin.php
ISTASE - Ingénieur d'études http://www.istase.com
Perso: http://portail-istase.univ-st-etienne.fr/diom/public/cgravier/
-
The official User-To-User support forum of the Apache HTTP Server Project.
See URL:http://httpd.apache.org/userslist.html for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
