Package: apache2.2-common Version: 2.2.16-6 Severity: normal
In the default configuration mod_authnz_ldap.load is symlinked from mods-available to mods-enabled but that orders it (lexicographically) after the symlink to load mod_authnz_default. This causes a number of ldap specific arguments to the Require definition to be unrecognized and logged as follows: [Wed Mar 23 11:04:48 2011] [error] [client 10.10.10.10] access to /auth failed, reason: unknown require directive:"ldap-user bpktest bpkroth" [Wed Mar 23 11:04:48 2011] [error] [client 10.10.10.10] access to /auth failed, reason: unknown require directive:"ldap-group cn=bpk-test,ou=Group,o=ORG" [Wed Mar 23 11:04:48 2011] [error] [client 10.10.10.10] access to /auth failed, reason: unknown require directive:"ldap-attribute myacl=unix" [Wed Mar 23 11:04:48 2011] [error] [client 10.10.10.10] access to /auth failed, reason: user bpktest not allowed access The relevant tidbits from my .htaccess file are as follows: # Allow authenticated access AuthType Basic AuthName "Restricted Access" AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPURL "ldap://ldapauth.mydomain.com:389/ou=People,o=ORG?uid" STARTTLS AuthLDAPRemoteUserIsDN Off AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off Require ldap-user bpktest bpkroth Require ldap-group cn=bpk-test,ou=Group,o=ORG Require ldap-attribute myacl=unix Adding another symlink to mod_authnz_ldap.load in mods-enabled as 01-mod_authnz_ldap.load corrects this behavior, albeit with a warning message on startup (probably avoidable with an if statement around the load). Let me know if you need anything else. Thanks, Brian -- Package-specific info: List of /etc/apache2/mods-enabled/*.load: 01-authnz_ldap alias auth_basic auth_kerb auth_pam auth_plain auth_sys_group authn_file authnz_ldap authz_default authz_groupfile authz_host authz_user autoindex cgi deflate dir env include info ldap mime mod-security negotiation php5 reqtimeout rewrite rpaf setenvif ssl status unique_id vhost_alias wsgi List of enabled php5 extensions: adodb apc curl ffmpeg gd geoip gmp idn imagick interbase lasso ldap mcrypt memcache ming mssql mysql mysqli odbc pam_auth pdo pdo_dblib pdo_mysql pdo_odbc pdo_pgsql pdo_sqlite pgsql ps pspell radius recode redland sasl snmp sqlite sqlite3 ssh2 suhosin tidy uuid xmlrpc xsl -- System Information: Debian Release: 6.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages apache2.2-common depends on: ii apache2-utils 2.2.16-6 utility programs for webservers ii apache2.2-bin 2.2.16-6 Apache HTTP Server common binary f ii libmagic1 5.04-5 File type determination library us ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip ii mime-support 3.48-1 MIME files 'mime.types' & 'mailcap ii perl 5.10.1-17 Larry Wall's Practical Extraction ii procps 1:3.2.8-9 /proc file system utilities Versions of packages apache2.2-common recommends: pn ssl-cert <none> (no description available) Versions of packages apache2.2-common suggests: pn apache2-doc <none> (no description available) pn apache2-suexec | apache2-su <none> (no description available) ii lynx-cur [www-browser] 2.8.8dev.5-1 Text-mode WWW Browser with NLS sup Versions of packages apache2.2-common is related to: pn apache2-mpm-event <none> (no description available) pn apache2-mpm-itk <none> (no description available) ii apache2-mpm-prefork 2.2.16-6 Apache HTTP Server - traditional n pn apache2-mpm-worker <none> (no description available) -- Configuration Files: /etc/apache2/mods-available/authnz_ldap.load changed: # NOTE: This must be loaded before mod_authnz_default to avoid messages like this: # unknown require directive:"ldap-attribute myacl=unix" # 2011-03-23 # bpkroth # Depends: ldap LoadModule authnz_ldap_module /usr/lib/apache2/modules/mod_authnz_ldap.so -- no debconf information -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110323163100.29873.39275.report...@bobo.cae.wisc.edu