Hello,
Nobody is using ldap based authentication and authorization, based on
group ?
I mean I am testing it for some days and I can't figure out the problem.
I really think I'm compliant with the 2.2 doc (for example require
ldap-user is working and I don't much difference with require ldap-group
...)
Does anybody succeeded in building such a configuration ?
If nobody did, I'll fill a bug report ... (Which is not necessary if
someone ever succeed ;-)).
Thank you in advance,
Best Regards,
Christophe Gravier a écrit :
Hello,
Regarding new Apache 2.2 authentification and authorization layers,
especially ldap-group (
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqgroup ),
I wanted to build authentification and authorization based on ldap
group membership.
I build my directive the same way as those man pages, that means:
<Location "/DevDSI_trac">
SetEnv TRAC_ENV "/var/trac/DevDSI"
AuthType Basic
AuthName "DevDSI trac"
AuthBasicProvider ldap
AuthLDAPURL
ldap://ist-guizay.univ-st-etienne.fr:389/ou=person,o=istase,c=fr?uid?sub?(objectClass=*)
require ldap-group cn=satin,ou=groups,o=istase,c=fr
</Location>
This is not working. I did check that ldap-group contains no typo.
AuthLDAPURL is ok since I can make it my identification working with
"require ldap-user" directive.
I also make it working by setting AuthzLDAPAuthoritative to off for
"require valid-user" directive (but this is not ldap group based
authorization of course).
Moreover, my group is declared as follow in my openldap directory:
dn: cn=satin,ou=groups,o=istase,c=fr
objectClass: groupOfUniqueNames
uniqueMember: uid=gravier.christophe,ou=person,o=istase,c=fr
uniqueMember: etc....
So, when I try to log in the web area, I receive a "401 Authorization
required". There's no trace in error log (I got a trace if I enter a
bad password though).
This means I successfully go through auth type and authentication
layers but not through authorization (but no error message in
error.log !).
My loaded modules are:
ls -l /etc/apache2/mods-enabled/ | awk '{print $8}'
alias.load, auth_basic.load, authn_file.load, authnz_ldap.load,
authz_host.load, authz_owner.load, authz_user.load, autoindex.load,
cgi.load, dav.load, dav_svn.load, dir.load, env.load, ldap.load,
mime.load, negotiation.load, php4.conf, php4.load, status.load
I think I understand the new architecture well because I clearly made
"ldap-user" and "valid-user without ldap authoritative" working. But
there's something for ldap-group I can't figure out for a couple of
days; that's why I decided to ask on this mailing list.
Does anyone have an idea please on my configuration ? I can post info
if needed ....
Or at least, does anyone have a configuration working with ldap based
on groups ?
Thank you in advance,
Regards.
--
Christophe Gravier
Laboratoire DIOM, équipe SATIn - Doctorant
http://portail-istase.univ-st-etienne.fr/diom/FRA/Satin.php
ISTASE - Ingénieur d'études http://www.istase.com
Perso: http://portail-istase.univ-st-etienne.fr/diom/public/cgravier/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]