Hi Gaël,
I'm a bit of an LDAP noob from the administrative side, I've only connected
and queried information from Java Applications. I've installed OpenLDAP on
CentOS 4.3, I'm connecting to LDAP from a Fedora 6 box with Apache 2.2. I
have it partially working thanks to your response! I missed the
"AuthzLDAPAuthoritative
directive be set to off" for require valid-user. I have the following
configuration and it now works for all employee access, but I want to limit
it to only developers. The posix group "developers" path is below
cn=development,ou=Groups,dc=arocksoftware,dc=comThe member attribute in the
development group is "memberUid" for the user id of all members
I tried change the config below to the following parameters, and it won't
authenticate with the require group on. If I comment out the group
directive and just go with require valid user, it works. Can I get any help
on what's wrong with my group query string?
Thanks,
Todd
Working Starting point
<Location />
DAV svn
SVNParentPath /srv/svnrepos
# Limit write permission to list of valid users.
# Require SSL connection for password protection.
# SSLRequireSSL
#Admin binding
AuthLDAPBindDN {admin dn removed}
AuthLDAPBindPassword {admin password removed}
AuthzLDAPAuthoritative off
#Default Search String
AuthLDAPURL
ldap://ldap:389/ou=Employees,ou=People,dc=arocksoftware,dc=com?uid
#require a member of the dev group
AuthLDAPGroupAttribute memberUid
require ldap-group cn=development,ou=Groups,dc=arocksoftware,dc=com
#Require valid-user
</Location>
On 3/20/07, Gaël Lams <[EMAIL PROTECTED]> wrote:
On 3/20/07, Todd Nine <[EMAIL PROTECTED]> wrote:
> Hi all,
> I'm having a bit of trouble getting mod_authz_ldap to work. I have my
OU
> layout and my posix groups layout included. I'm simply trying to
> authenticate the user "tnine" against the group
> cn=development,ou=Groups,dc=arocksoftware,dc=com
>
>
> I receive the following error, so I'm obviously not getting authorized
>
> auth_ldap authenticate: user tnine authentication failed; URI
/vcproject/
> [ldap_search_ext_s() for user failed][No such object]
>
>
> I have the following settings in my authorization directive. But I
have
> several questions. Any help would be greatly appreciated.
>
> 1. I'm using a posixGroup, is that not possible?
> 2. I have set the log level to debug, but I only get the above line in
the
> error_log. I'd like to see the query string its issuing, is that
possible?
> 3. I thought that by setting the AuthLDAPGroupAttribute it would find my
> username and authenticate me, is that not correct?
I personally always look on the ldap back-end side to see the query
string being issued. Which ldap directory are you using
Before working with a group, do you have the ldap authentication
working for a single user?
"require valid-user" directive requires that mod_authz_user be loaded
and that the AuthzLDAPAuthoritative directive be set to off but you
have it set to off
(http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqvaliduser).
AuthLDAPGroupAttribute specifies which LDAP attributes are used to
check for group membership.
The require directives are used during the authorization phase: are
you sure you're right in specifying both require valid-user and
require ldap-group? As said a few lines below, require valid-user
require an additional authorization modules (mod_authz_user). Why
don't use only require ldap-group? This whay you could let
"AuthzLDAPAuthoritative On"?
Regards,
Gaël
