Re: [users@httpd] require valid-user with ldap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Marc, On 11/27/14 2:42 AM, Tobias Adolph wrote: do you have an other authorization modules (like mod_shib for shibboleth-authentication)? We had an issue concerning require valid-user, too. I guess that if several authorization handlers are active require valid-user directives asks each of them for approval. At least mod_shib shows this behaviour. The fact that if you give the specific user (which determines the specific authorization authority) or a require-directive specific to an authorization module supports this assumption. I have LDAP working without file-based fallback, but I'm using Require ldap-group instead of Require [somethingelse]. Our configuration is so old I can't remember if I actually fought httpd's configuration and settled for ldap-group or if I just never tried anything else (like Require valid-user). - -chris Am 24.11.2014 um 12:13 schrieb Marc Patermann: Hi, I using the following .htaccess AuthBasicProvider ldap file AuthType Basic AuthzLDAPAuthoritative off Authname ... AuthUserFile /srv/www/.htusers-mf AuthLDAPURL ldap://ldapserver/ou=humans,ou=foo,c=de?mail??(mail=*@ofd-*.foo.de) Limit PROPFIND OPTIONS GET #Require ldap-group ou=Benutzer-Opst,ou=gruppen,ou=humans,ou=foo,c=de #Require user k1-st-01 Require valid-user /Limit ... The require valid-user does not work for ldap users. I get the following message in error_log: /var/log/apache2/error_log:[Thu Nov 21 09:40:48 2014] [error] [client 10.49.64.85] access to /documents/ failed, reason: user 'u...@foo.de' does not meet 'require'ments for user/valid-user to be allowed access Apache is version 2.2.10 If I set it to require ldap-user u...@foo.de or require ldap-group ... it is all fine, so the ldap part does it's thing. Marc - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUdysVAAoJEBzwKT+lPKRYC3sQAJlnnU7z1KK4i1UaaBNGO16k iNleVv8OXNg5OZo04/O8ZNtF9OBXIWiqqsN8hP4Oepfcvs1e2JgZpshHUN9KUkUS o+8FwbAIpbgFPgFZkd7XsEb4aZAZQEW0OAylbIb8ur0C4/Q3bEOazf/a3BUJB6x8 00OVSQBzN46/o9PReYh7mB0sOXCMVHZbZy3LJ2iOJvWJonm6iGuPwifT7JdakVYr yZP1zbuR86GPhTd6IjoV3qxS0+gMThu5ziIJ1IkGbUpkekBxrOt0Ra0bmN3NNHxU SJdsa4FCMergjUvlfDWqgPwBC0atD9nU6lEOS11+uvloHQofd7Y3CNu7q6m5c+S6 xnweNUMEctBhQpQgNzuMgByHB8j6/lqQjezOt6aZ/dhGVWQZ3h6Eeo0bA73B0sLp AXh31udkfj4QLrSJGNXSOOfQqZ8jLxvmaAmXvDXovUVPkD8+WbAojOSTGgUAyX4W QoaC/UPE8FTuVheFzYI3CZDwuk7o6Pa1b9ojPF6vheC9xCp4U8FED7KCp0PnnOpm h58Wn6Tie7CPF8xzleGAF1axRBEJZDTq0IDoCnihCxyaT+AlFU6XAcv+WHf5bLFC H8lwg1luY6wgslyIUfhM5LsFeuU9RPYJfsTyZrR+iEEuq7u+rESQrXctXTsCSVKT mSaQ2dYgw+r8AASOYR3O =Vj2e -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] require valid-user with ldap
Hi, do you have an other authorization modules (like mod_shib for shibboleth-authentication)? We had an issue concerning require valid-user, too. I guess that if several authorization handlers are active require valid-user directives asks each of them for approval. At least mod_shib shows this behaviour. The fact that if you give the specific user (which determines the specific authorization authority) or a require-directive specific to an authorization module supports this assumption. Hope this helps. Kind regards Tobias Am 24.11.2014 um 12:13 schrieb Marc Patermann: Hi, I using the following .htaccess AuthBasicProvider ldap file AuthType Basic AuthzLDAPAuthoritative off Authname ... AuthUserFile /srv/www/.htusers-mf AuthLDAPURL ldap://ldapserver/ou=humans,ou=foo,c=de?mail??(mail=*@ofd-*.foo.de) Limit PROPFIND OPTIONS GET #Require ldap-group ou=Benutzer-Opst,ou=gruppen,ou=humans,ou=foo,c=de #Require user k1-st-01 Require valid-user /Limit ... The require valid-user does not work for ldap users. I get the following message in error_log: /var/log/apache2/error_log:[Thu Nov 21 09:40:48 2014] [error] [client 10.49.64.85] access to /documents/ failed, reason: user 'u...@foo.de' does not meet 'require'ments for user/valid-user to be allowed access Apache is version 2.2.10 If I set it to require ldap-user u...@foo.de or require ldap-group ... it is all fine, so the ldap part does it's thing. Marc - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- ### # Tobias Adolph # # Leibniz-Rechenzentrum # # Zimmer I.2.019 # # Boltzmannstraße 1 # # 85748 Garching bei München # ### - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
[users@httpd] require valid-user with ldap
Hi, I using the following .htaccess AuthBasicProvider ldap file AuthType Basic AuthzLDAPAuthoritative off Authname ... AuthUserFile /srv/www/.htusers-mf AuthLDAPURL ldap://ldapserver/ou=humans,ou=foo,c=de?mail??(mail=*@ofd-*.foo.de) Limit PROPFIND OPTIONS GET #Require ldap-group ou=Benutzer-Opst,ou=gruppen,ou=humans,ou=foo,c=de #Require user k1-st-01 Require valid-user /Limit ... The require valid-user does not work for ldap users. I get the following message in error_log: /var/log/apache2/error_log:[Thu Nov 21 09:40:48 2014] [error] [client 10.49.64.85] access to /documents/ failed, reason: user 'u...@foo.de' does not meet 'require'ments for user/valid-user to be allowed access Apache is version 2.2.10 If I set it to require ldap-user u...@foo.de or require ldap-group ... it is all fine, so the ldap part does it's thing. Marc - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
