Hopefully this reply will help someone else who has encountered this problem. Here is my solution, and my understanding of how it works.
Listen 81 <Location /> #subversion configuratoin DAV svn SVNParentPath /srv/svnrepos # Limit write permission to list of valid users. # Require SSL connection for password protection. # SSLRequireSSL AuthType Basic AuthName "ARock Software Subversion" #set the authentication to ldap AuthBasicProvider ldap #Admin binding AuthLDAPBindDN cn=Manager,dc=mydomain,dc=com AuthLDAPBindPassword mypassword AuthzLDAPAuthoritative off #Default Search String, this is used to validate users AuthLDAPURL ldap://ldap:389/ou=Employees,ou=People,dc=mydomain,dc=com #require a member of the dev group. In my LDAP, the attribute of users on the posix group is "memberUid" AuthLDAPGroupAttribute memberUid #the value of the attribute above is a username, not a full name AuthLDAPGroupAttributeIsDN off require ldap-group cn=development,ou=Groups,dc=mydomain,dc=com </Location> On 3/20/07, Todd Nine <[EMAIL PROTECTED]> wrote:
Hi Gaël, I'm a bit of an LDAP noob from the administrative side, I've only connected and queried information from Java Applications. I've installed OpenLDAP on CentOS 4.3, I'm connecting to LDAP from a Fedora 6 box with Apache 2.2. I have it partially working thanks to your response! I missed the "AuthzLDAPAuthoritative directive be set to off" for require valid-user. I have the following configuration and it now works for all employee access, but I want to limit it to only developers. The posix group "developers" path is below cn=development,ou=Groups,dc=arocksoftware,dc=comThe member attribute in the development group is "memberUid" for the user id of all members I tried change the config below to the following parameters, and it won't authenticate with the require group on. If I comment out the group directive and just go with require valid user, it works. Can I get any help on what's wrong with my group query string? Thanks, Todd Working Starting point <Location /> DAV svn SVNParentPath /srv/svnrepos # Limit write permission to list of valid users. # Require SSL connection for password protection. # SSLRequireSSL #Admin binding AuthLDAPBindDN {admin dn removed} AuthLDAPBindPassword {admin password removed} AuthzLDAPAuthoritative off #Default Search String AuthLDAPURL ldap://ldap:389/ou=Employees,ou=People,dc=arocksoftware,dc=com?uid #require a member of the dev group AuthLDAPGroupAttribute memberUid require ldap-group cn=development,ou=Groups,dc=arocksoftware,dc=com #Require valid-user </Location> On 3/20/07, Gaël Lams < [EMAIL PROTECTED]> wrote: > > On 3/20/07, Todd Nine < [EMAIL PROTECTED]> wrote: > > Hi all, > > I'm having a bit of trouble getting mod_authz_ldap to work. I have > my OU > > layout and my posix groups layout included. I'm simply trying to > > authenticate the user "tnine" against the group > > cn=development,ou=Groups,dc=arocksoftware,dc=com > > > > > > I receive the following error, so I'm obviously not getting > authorized > > > > auth_ldap authenticate: user tnine authentication failed; URI > /vcproject/ > > [ldap_search_ext_s() for user failed][No such object] > > > > > > I have the following settings in my authorization directive. But I > have > > several questions. Any help would be greatly appreciated. > > > > 1. I'm using a posixGroup, is that not possible? > > 2. I have set the log level to debug, but I only get the above line in > the > > error_log. I'd like to see the query string its issuing, is that > possible? > > 3. I thought that by setting the AuthLDAPGroupAttribute it would find > my > > username and authenticate me, is that not correct? > > I personally always look on the ldap back-end side to see the query > string being issued. Which ldap directory are you using > > Before working with a group, do you have the ldap authentication > working for a single user? > > "require valid-user" directive requires that mod_authz_user be loaded > and that the AuthzLDAPAuthoritative directive be set to off but you > have it set to off > (http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqvaliduser > ). > > AuthLDAPGroupAttribute specifies which LDAP attributes are used to > check for group membership. > The require directives are used during the authorization phase: are > you sure you're right in specifying both require valid-user and > require ldap-group? As said a few lines below, require valid-user > require an additional authorization modules (mod_authz_user). Why > don't use only require ldap-group? This whay you could let > "AuthzLDAPAuthoritative On"? > > Regards, > > Gaël >