Sohail Somani a écrit :
Hi,
I'm trying to set up ldap authentication. I am pretty sure that it
authenticates because if I get the following results from the error logs
in specific situations:
Invalid user: auth_ldap authenticate: user <bad_user> authentication
failed; URI /mypaty [User not found][No such object]
Valid user/invalid pw: user <good_user>: authentication failure for
"/mypath": Password Mismatch
Valid user/valid pw: No output from error log
So I assume that it works and is set up correctly. Additionally, I have
used ldapsearch to verify that the ldap strings are doing the right
dance.
However, in the last case, when it appears that I have authenticated,
Firefox/IE keep popping up the authorization box even when the user/pw
are correct! Here is my relevant (I hope) config:
<Location /mypath>
AuthType basic
AuthName "Authentication domain"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldap://<host>/ou=Development,ou=Corporate
Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
AuthLDAPBindDN "cn=<bind_user>,ou=Development,ou=Corporate
Users,dc=financialcad,dc=com"
AuthLDAPBindPassword "<password>"
SSLRequireSSL
require valid-user
</Location>
Any assistance would be great!
Are you using Apache >= 2.2 ?
If yes, the "require valid-user" is not the directive for authnz_ldap
module/
If you're using apache >= 2.2 and you want to:
1/ allow "any" authenticated user to enter (whatever his group
membership is (i.e. no authorization control), you must "bypass" the
authz_ldap authorization module by setting "AuthzLDAPAuthoritative" to
off (else apache searches for require ldap-user or ldap-group directives)
<Location /mypath>
AuthType basic
AuthName "Authentication domain"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://<host>/ou=Development,ou=Corporate
Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
AuthLDAPBindDN "cn=<bind_user>,ou=Development,ou=Corporate
Users,dc=financialcad,dc=com"
AuthLDAPBindPassword "<password>"
SSLRequireSSL
require valid-user
</Location>
2/ allow a limited list of known users of the directory (need require
ldap-user directive and not require ldap-user)
<Location /mypath>
AuthType basic
AuthName "Authentication domain"
AuthBasicProvider ldap
AuthzLDAPAuthoritative *on*
AuthLDAPURL "ldap://<host>/ou=Development,ou=Corporate
Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
AuthLDAPBindDN "cn=<bind_user>,ou=Development,ou=Corporate
Users,dc=financialcad,dc=com"
AuthLDAPBindPassword "<password>"
SSLRequireSSL
require *ldap-user* myuser_uid
</Location>
3/ allow a group of user (authorization based on group membership).
<Location /mypath>
AuthType basic
AuthName "Authentication domain"
AuthBasicProvider ldap
AuthzLDAPAuthoritative *on*
AuthLDAPURL "ldap://<host>/ou=Development,ou=Corporate
Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
AuthLDAPBindDN "cn=<bind_user>,ou=Development,ou=Corporate
Users,dc=financialcad,dc=com"
AuthLDAPBindPassword "<password>"
SSLRequireSSL
require *ldap-group* my_group_full_dn
</Location>
HTH
Christophe
TIA
Sohail
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
Christophe Gravier
Laboratoire DIOM, équipe SATIn - Doctorant
http://portail-istase.univ-st-etienne.fr/diom/FRA/Satin.php
ISTASE - Ingénieur d'études http://www.istase.com
Perso: http://portail-istase.univ-st-etienne.fr/diom/public/cgravier/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
