Re: [EMAIL PROTECTED] Require ldap-group directive issue in Apache 2.2
On 11/7/06, Christophe Gravier [EMAIL PROTECTED] wrote: Hello, Nobody is using ldap based authentication and authorization, based on group ? Your configuration looks identical to mine, except my group memberships are based on 'member' instead of 'uniquemember' -- but they're the 2 values tried by apache by default. You'd probably learn an immense amount of info by looking at an IP trace between Apache and LDAP formatted by wireshark/ethereal. Another interesting thing if you're linked against openldap and have mysterious errors is to turn on debugging in the LDAP library, which will be dumped to the errorlog. I've been unlucky getting any environment variable or openldap config file to affect things, but you can add the following to the util_ldap.c post-config hook: +{ +int LDAP_DEBUG_LEVEL = -1; +ldap_set_option(NULL , LDAP_OPT_DEBUG_LEVEL, (LDAP_DEBUG_LEVEL)); +} -- Eric Covener [EMAIL PROTECTED] - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Require ldap-group directive issue in Apache 2.2
On Mon, 6 Nov 2006, Christophe Gravier wrote: Hello, Regarding new Apache 2.2 authentification and authorization layers, especially ldap-group ( http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqgroup ), I wanted to build authentification and authorization based on ldap group membership. I build my directive the same way as those man pages, that means: Location /DevDSI_trac SetEnv TRAC_ENV /var/trac/DevDSI AuthType Basic AuthName DevDSI trac AuthBasicProvider ldap AuthLDAPURL ldap://ist-guizay.univ-st-etienne.fr:389/ou=person,o=istase,c=fr?uid?sub?(objectClass=*) require ldap-group cn=satin,ou=groups,o=istase,c=fr /Location Thank you in advance, Regards. -- Christophe Gravier Laboratoire DIOM, équipe SATIn - Doctorant http://portail-istase.univ-st-etienne.fr/diom/FRA/Satin.php I had trouble with LDAP Groups when using Active Directory but I think it is a symptom of my AD service. I did hqave success with ldap-filter which I could use to query an attribute of the uid returned from LDAP (sAMAccountNAme). require ldap-filter (memberOf=G4570) This works for me as the group affiliations are mostly described as attributes in (our) AD. Mon aéroglisseur est plein d'anguilles John P. Dodge Boeing Shared Services - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [EMAIL PROTECTED] Require ldap-group directive issue in Apache 2.2
Hello, Nobody is using ldap based authentication and authorization, based on group ? I mean I am testing it for some days and I can't figure out the problem. I really think I'm compliant with the 2.2 doc (for example require ldap-user is working and I don't much difference with require ldap-group ...) Does anybody succeeded in building such a configuration ? If nobody did, I'll fill a bug report ... (Which is not necessary if someone ever succeed ;-)). Thank you in advance, Best Regards, Christophe Gravier a écrit : Hello, Regarding new Apache 2.2 authentification and authorization layers, especially ldap-group ( http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqgroup ), I wanted to build authentification and authorization based on ldap group membership. I build my directive the same way as those man pages, that means: Location /DevDSI_trac SetEnv TRAC_ENV /var/trac/DevDSI AuthType Basic AuthName DevDSI trac AuthBasicProvider ldap AuthLDAPURL ldap://ist-guizay.univ-st-etienne.fr:389/ou=person,o=istase,c=fr?uid?sub?(objectClass=*) require ldap-group cn=satin,ou=groups,o=istase,c=fr /Location This is not working. I did check that ldap-group contains no typo. AuthLDAPURL is ok since I can make it my identification working with require ldap-user directive. I also make it working by setting AuthzLDAPAuthoritative to off for require valid-user directive (but this is not ldap group based authorization of course). Moreover, my group is declared as follow in my openldap directory: dn: cn=satin,ou=groups,o=istase,c=fr objectClass: groupOfUniqueNames uniqueMember: uid=gravier.christophe,ou=person,o=istase,c=fr uniqueMember: etc So, when I try to log in the web area, I receive a 401 Authorization required. There's no trace in error log (I got a trace if I enter a bad password though). This means I successfully go through auth type and authentication layers but not through authorization (but no error message in error.log !). My loaded modules are: ls -l /etc/apache2/mods-enabled/ | awk '{print $8}' alias.load, auth_basic.load, authn_file.load, authnz_ldap.load, authz_host.load, authz_owner.load, authz_user.load, autoindex.load, cgi.load, dav.load, dav_svn.load, dir.load, env.load, ldap.load, mime.load, negotiation.load, php4.conf, php4.load, status.load I think I understand the new architecture well because I clearly made ldap-user and valid-user without ldap authoritative working. But there's something for ldap-group I can't figure out for a couple of days; that's why I decided to ask on this mailing list. Does anyone have an idea please on my configuration ? I can post info if needed Or at least, does anyone have a configuration working with ldap based on groups ? Thank you in advance, Regards. -- Christophe Gravier Laboratoire DIOM, équipe SATIn - Doctorant http://portail-istase.univ-st-etienne.fr/diom/FRA/Satin.php ISTASE - Ingénieur d'études http://www.istase.com Perso: http://portail-istase.univ-st-etienne.fr/diom/public/cgravier/ - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[EMAIL PROTECTED] Require ldap-group directive issue in Apache 2.2
Hello, Regarding new Apache 2.2 authentification and authorization layers, especially ldap-group ( http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqgroup ), I wanted to build authentification and authorization based on ldap group membership. I build my directive the same way as those man pages, that means: Location /DevDSI_trac SetEnv TRAC_ENV /var/trac/DevDSI AuthType Basic AuthName DevDSI trac AuthBasicProvider ldap AuthLDAPURL ldap://ist-guizay.univ-st-etienne.fr:389/ou=person,o=istase,c=fr?uid?sub?(objectClass=*) require ldap-group cn=satin,ou=groups,o=istase,c=fr /Location This is not working. I did check that ldap-group contains no typo. AuthLDAPURL is ok since I can make it my identification working with require ldap-user directive. I also make it working by setting AuthzLDAPAuthoritative to off for require valid-user directive (but this is not ldap group based authorization of course). Moreover, my group is declared as follow in my openldap directory: dn: cn=satin,ou=groups,o=istase,c=fr objectClass: groupOfUniqueNames uniqueMember: uid=gravier.christophe,ou=person,o=istase,c=fr uniqueMember: etc So, when I try to log in the web area, I receive a 401 Authorization required. There's no trace in error log (I got a trace if I enter a bad password though). This means I successfully go through auth type and authentication layers but not through authorization (but no error message in error.log !). My loaded modules are: ls -l /etc/apache2/mods-enabled/ | awk '{print $8}' alias.load, auth_basic.load, authn_file.load, authnz_ldap.load, authz_host.load, authz_owner.load, authz_user.load, autoindex.load, cgi.load, dav.load, dav_svn.load, dir.load, env.load, ldap.load, mime.load, negotiation.load, php4.conf, php4.load, status.load I think I understand the new architecture well because I clearly made ldap-user and valid-user without ldap authoritative working. But there's something for ldap-group I can't figure out for a couple of days; that's why I decided to ask on this mailing list. Does anyone have an idea please on my configuration ? I can post info if needed Or at least, does anyone have a configuration working with ldap based on groups ? Thank you in advance, Regards. -- Christophe Gravier Laboratoire DIOM, équipe SATIn - Doctorant http://portail-istase.univ-st-etienne.fr/diom/FRA/Satin.php ISTASE - Ingénieur d'études http://www.istase.com Perso: http://portail-istase.univ-st-etienne.fr/diom/public/cgravier/ - The official User-To-User support forum of the Apache HTTP Server Project. See URL:http://httpd.apache.org/userslist.html for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]