Thanks Peter for all of your suggestions. I have followed them all with
the exception of your security recommendations. I have avoided this
matter in an attempt to minimize the complexity of the problem so my
small mind can see what is happening.
As you suggested Peter, I have read logs, rfcs and a great book by Matt
Butcher called Mastering OpenLDAP. Ah but my thick skull is still suck.
Over the last 3 days I have played with a number of configurations and
executed numerous varieties of searchs. But to no good. If you look
down to the caption "My Best Result," It seems OpenLDAP has made it to
the point where it is searching the 2 cn(s). But the filter error
prevents it from finding the uniqueMember. If you search for
"bdb_search: 11 does not match filter" and move up 5 or six lines you
will see what makes me believe this.
I would appreciate help again.
ou=groups content
=============================================================
server2.local # ldapsearch -v -x -w secret -D
'cn=Manager,dc=my,dc=domain,dc=com' -b
'ou=groups,dc=my,dc=domain,dc=com' -LLL
<
ldap_initialize( <DEFAULT> )
filter: (objectclass=*)
requesting: All userApplication attributes
dn: ou=groups,dc=my,dc=domain,dc=com
ou: groups
description: my.domain groups
objectClass: organizationalUnit
dn: cn=SuperTeam,ou=groups,dc=my,dc=domain,dc=com
ou: groups
description: People who are employees of Super Team
uniqueMember: uid=jeffshearer,dc=my,dc=domain,dc=com
uniqueMember: uid=maeshearer,dc=my,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: SuperTeam
dn: cn=SuperGroup,ou=groups,dc=my,dc=domain,dc=com
ou: groups
description: People who are employees of Super Group
uniqueMember: uid=jacksonshearer,dc=my,dc=domain,dc=com
uniqueMember: uid=larryfordham,dc=my,dc=domain,dc=com
uniqueMember: uid=spamimoron,dc=my,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: SuperGroup
Peter's suggestion
============================================================================
<Directory /files/superteam.docs>
AuthType basic
AuthName "Super Team Members Only"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPBindDN "cn=Manager,dc=my,dc=domain,dc=com"
AuthLDAPBindPassword "secret"
AuthLDAPGroupAttribute uniqueMember
#AuthLDAPGroupAttribute uid
AuthLDAPGroupAttributeIsDN on
#AuthLDAPURL
"ldap://192.168.0.92:389/ou=groups,dc=my,dc=domain,dc=com -s sub
(&(objectclass=groupOfUniq
ueNames)(cn=SuperTeam))"
#AuthLDAPURL
"ldap://192.168.0.92:389/ou=groups,dc=my,dc=domain,dc=com (cn=SuperTeam)"
AuthLDAPURL
"ldap://192.168.0.92:389/ou=groups,dc=my,dc=domain,dc=com?uniqueMember?sub?(objectClass=grou
pOfUniqueNames)"
#AuthLDAPURL "ldap://192.168.0.92:389/ou=groups,dc=my,dc=domain,dc=com"
Require ldap-group "cn=SuperTeam,ou=groups,dc=my,dc=domain,dc=com"
AllowOverride None
Order allow,deny
Allow from all
Options +Includes
XbitHack on
</Directory>
Jun 2 10:34:00 server2 slapd[41001]: => bdb_search
Jun 2 10:34:00 server2 slapd[41001]:
bdb_dn2entry("ou=groups,dc=my,dc=domain,dc=com")
Jun 2 10:34:00 server2 slapd[41001]: => access_allowed: search access
to "ou=groups,dc=my,dc=domain,dc=com" "entry"
requested
Jun 2 10:34:00 server2 slapd[41001]: <= root access granted
Jun 2 10:34:00 server2 slapd[41001]: => access_allowed: search access
granted by manage(=mwrscxd)
Jun 2 10:34:00 server2 slapd[41001]: search_candidates:
base="ou=groups,dc=my,dc=domain,dc=com" (0x00000003) scope=2
Jun 2 10:34:00 server2 slapd[41001]: => bdb_filter_candidates
Jun 2 10:34:00 server2 slapd[41001]: EQUALITY
Jun 2 10:34:00 server2 slapd[41001]: => bdb_equality_candidates
(objectClass)
Jun 2 10:34:00 server2 slapd[41001]: => key_read
Jun 2 10:34:00 server2 slapd[41001]: bdb_idl_fetch_key: [01872a84]
Jun 2 10:34:00 server2 slapd[41001]: <= bdb_index_read: failed (-30989)
Jun 2 10:34:00 server2 slapd[41001]: <= bdb_equality_candidates: id=0,
first=0, last=0
Jun 2 10:34:00 server2 slapd[41001]: <= bdb_filter_candidates: id=0
first=0 last=0
Jun 2 10:34:00 server2 slapd[41001]: =>
bdb_dn2idl("ou=groups,dc=my,dc=domain,dc=com")
Jun 2 10:34:00 server2 slapd[41001]: bdb_idl_fetch_key:
@ou=groups,dc=my,dc=domain,dc=com
Jun 2 10:34:00 server2 slapd[41001]: <= bdb_dn2idl: id=3 first=3 last=12
Jun 2 10:34:00 server2 slapd[41001]: => bdb_filter_candidates
Jun 2 10:34:00 server2 slapd[41001]: AND
Jun 2 10:34:00 server2 slapd[41001]: => bdb_list_candidates 0xa0
Jun 2 10:34:00 server2 slapd[41001]: => bdb_filter_candidates
Jun 2 10:34:00 server2 slapd[41001]: OR
Jun 2 10:34:00 server2 slapd[41001]: => bdb_list_candidates 0xa1
Jun 2 10:34:00 server2 slapd[41001]: => bdb_filter_candidates
Jun 2 10:34:00 server2 slapd[41001]: EQUALITY
Jun 2 10:34:00 server2 slapd[41001]: => bdb_equality_candidates
(objectClass)
Jun 2 10:34:00 server2 slapd[41001]: => key_read
Jun 2 10:34:00 server2 slapd[41001]: bdb_idl_fetch_key: [b49d1940]
Jun 2 10:34:00 server2 slapd[41001]: <= bdb_index_read: failed (-30989)
Jun 2 10:34:00 server2 slapd[41001]: <= bdb_equality_candidates: id=0,
first=0, last=0
Jun 2 10:34:00 server2 slapd[41001]: <= bdb_filter_candidates: id=0
first=0 last=0
Jun 2 10:34:00 server2 slapd[41001]: => bdb_filter_candidates
Jun 2 10:34:00 server2 slapd[41001]: AND
Jun 2 10:34:00 server2 slapd[41001]: => bdb_list_candidates 0xa0
Jun 2 10:34:00 server2 slapd[41001]: => bdb_filter_candidates
Jun 2 10:34:00 server2 slapd[41001]: EQUALITY
Jun 2 10:34:00 server2 slapd[41001]: => bdb_equality_candidates
(objectClass)
Jun 2 10:34:00 server2 slapd[41001]: => key_read
Jun 2 10:34:00 server2 slapd[41001]: bdb_idl_fetch_key: [32028718]
Jun 2 10:34:00 server2 slapd[41001]: <= bdb_index_read 2 candidates
Jun 2 10:34:00 server2 slapd[41001]: <= bdb_equality_candidates: id=2,
first=11, last=12
Jun 2 10:34:00 server2 slapd[41001]: <= bdb_filter_candidates: id=2
first=11 last=12
Jun 2 10:34:00 server2 slapd[41001]: => bdb_filter_candidates
Jun 2 10:34:00 server2 slapd[41001]: <= bdb_filter_candidates: id=0
first=0 last=0
Jun 2 10:34:00 server2 slapd[41001]: <= bdb_list_candidates: id=0
first=11 last=0
Jun 2 10:34:00 server2 slapd[41001]: <= bdb_filter_candidates: id=0
first=11 last=0
Jun 2 10:34:00 server2 slapd[41001]: <= bdb_list_candidates: id=0
first=0 last=0
Jun 2 10:34:00 server2 slapd[41001]: <= bdb_filter_candidates: id=0
first=0 last=0
Jun 2 10:34:00 server2 slapd[41001]: <= bdb_list_candidates: id=0
first=3 last=0
Jun 2 10:34:00 server2 slapd[41001]: <= bdb_filter_candidates: id=0
first=3 last=0
Jun 2 10:34:00 server2 slapd[41001]: bdb_search_candidates: id=0
first=3 last=0
Jun 2 10:34:00 server2 slapd[41001]: bdb_search: no candidates
Jun 2 10:34:00 server2 slapd[41001]: send_ldap_result: conn=186 op=1 p=3
Jun 2 10:34:00 server2 slapd[41001]: send_ldap_result: err=0 matched=""
text="value does not conform to assertion syntax"
Jun 2 10:34:00 server2 slapd[41001]: send_ldap_response: msgid=2
tag=101 err=0
Jun 2 10:34:00 server2 slapd[41001]: conn=186 op=1 SEARCH RESULT
tag=101 err=0 nentries=0 text=value does not conform to
assertion syntax
Jun 2 10:34:00 server2 slapd[41001]: daemon: activity on 1 descriptor
Jun 2 10:34:00 server2 slapd[41001]: daemon: waked
Jun 2 10:34:00 server2 slapd[41001]: daemon: select: listen=6
active_threads=0 tvp=NULL
Jun 2 10:34:00 server2 slapd[41001]: daemon: select: listen=7
active_threads=0 tvp=NULL
My Best Result
===============================================================
<Directory /files/superteam.docs>
AuthType basic
AuthName "Super Team Members Only"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPBindDN "cn=Manager,dc=my,dc=domain,dc=com"
AuthLDAPBindPassword "secret"
AuthLDAPGroupAttribute uniqueMember
#AuthLDAPGroupAttribute uid
AuthLDAPGroupAttributeIsDN on
#AuthLDAPURL
"ldap://192.168.0.92:389/ou=groups,dc=my,dc=domain,dc=com -s sub
(&(objectclass=groupOfUniq
ueNames)(cn=SuperTeam))"
#AuthLDAPURL
"ldap://192.168.0.92:389/ou=groups,dc=my,dc=domain,dc=com (cn=SuperTeam)"
#AuthLDAPURL
"ldap://192.168.0.92:389/ou=groups,dc=my,dc=domain,dc=com?uniqueMember?sub?(objectClass=gro
upOfUniqueNames)"
AuthLDAPURL "ldap://192.168.0.92:389/ou=groups,dc=my,dc=domain,dc=com"
Require ldap-group "cn=SuperTeam,ou=groups,dc=my,dc=domain,dc=com"
AllowOverride None
Order allow,deny
Allow from all
Options +Includes
XbitHack on
</Directory>
Jun 2 09:40:35 server2 slapd[41001]: conn=183 op=1 do_search
Jun 2 09:40:35 server2 slapd[41001]: >>> dnPrettyNormal:
<ou=groups,dc=my,dc=domain,dc=com>
Jun 2 09:40:35 server2 slapd[41001]: <<< dnPrettyNormal:
<ou=groups,dc=my,dc=domain,dc=com>,
<ou=groups,dc=my,dc=domain,dc=com>
Jun 2 09:40:35 server2 slapd[41001]: SRCH
"ou=groups,dc=my,dc=domain,dc=com" 2 3
Jun 2 09:40:35 server2 slapd[41001]: 0 0 0
Jun 2 09:40:35 server2 slapd[41001]: begin get_filter
Jun 2 09:40:35 server2 slapd[41001]: AND
Jun 2 09:40:35 server2 slapd[41001]: begin get_filter_list
Jun 2 09:40:35 server2 slapd[41001]: begin get_filter
Jun 2 09:40:35 server2 slapd[41001]: PRESENT
Jun 2 09:40:35 server2 slapd[41001]: end get_filter 0
Jun 2 09:40:35 server2 slapd[41001]: begin get_filter
Jun 2 09:40:35 server2 slapd[41001]: EQUALITY
Jun 2 09:40:35 server2 slapd[41001]: end get_filter 0
Jun 2 09:40:35 server2 slapd[41001]: end get_filter_list
Jun 2 09:40:35 server2 slapd[41001]: end get_filter 0
Jun 2 09:40:35 server2 slapd[41001]: filter:
(&(objectClass=*)(uid=jeffshearer))
Jun 2 09:40:35 server2 slapd[41001]: attrs:
Jun 2 09:40:35 server2 slapd[41001]:
Jun 2 09:40:35 server2 slapd[41001]: conn=183 op=1 SRCH
base="ou=groups,dc=my,dc=domain,dc=com" scope=2 deref=3
filter="(&(objectClass=*)(uid=jeffshearer))"
Jun 2 09:40:35 server2 slapd[41001]: => bdb_search
Jun 2 09:40:35 server2 slapd[41001]:
bdb_dn2entry("ou=groups,dc=my,dc=domain,dc=com")
Jun 2 09:40:35 server2 slapd[41001]: => access_allowed: search access
to "ou=groups,dc=my,dc=domain,dc=com" "entry"
requested
Jun 2 09:40:35 server2 slapd[41001]: <= root access granted
Jun 2 09:40:35 server2 slapd[41001]: => access_allowed: search access
granted by manage(=mwrscxd)
Jun 2 09:40:35 server2 slapd[41001]: search_candidates:
base="ou=groups,dc=my,dc=domain,dc=com" (0x00000003) scope=2
Jun 2 09:40:35 server2 slapd[41001]: => bdb_filter_candidates
Jun 2 09:40:35 server2 slapd[41001]: EQUALITY
Jun 2 09:40:35 server2 slapd[41001]: => bdb_equality_candidates
(objectClass)
Jun 2 09:40:35 server2 slapd[41001]: => key_read
Jun 2 09:40:35 server2 slapd[41001]: bdb_idl_fetch_key: [01872a84]
Jun 2 09:40:35 server2 slapd[41001]: <= bdb_index_read: failed (-30989)
Jun 2 09:40:35 server2 slapd[41001]: <= bdb_equality_candidates: id=0,
first=0, last=0
Jun 2 09:40:35 server2 slapd[41001]: <= bdb_filter_candidates: id=0
first=0 last=0
Jun 2 09:40:35 server2 slapd[41001]: =>
bdb_dn2idl("ou=groups,dc=my,dc=domain,dc=com")
Jun 2 09:40:35 server2 slapd[41001]: bdb_idl_fetch_key:
@ou=groups,dc=my,dc=domain,dc=com
Jun 2 09:40:35 server2 slapd[41001]: <= bdb_dn2idl: id=3 first=3 last=12
Jun 2 09:40:35 server2 slapd[41001]: => bdb_filter_candidates
Jun 2 09:40:35 server2 slapd[41001]: AND
Jun 2 09:40:35 server2 slapd[41001]: => bdb_list_candidates 0xa0
Jun 2 09:40:35 server2 slapd[41001]: => bdb_filter_candidates
Jun 2 09:40:35 server2 slapd[41001]: OR
Jun 2 09:40:35 server2 slapd[41001]: => bdb_list_candidates 0xa1
Jun 2 09:40:35 server2 slapd[41001]: => bdb_filter_candidates
Jun 2 09:40:35 server2 slapd[41001]: EQUALITY
Jun 2 09:40:35 server2 slapd[41001]: => bdb_equality_candidates
(objectClass)
Jun 2 09:40:35 server2 slapd[41001]: => key_read
Jun 2 09:40:35 server2 slapd[41001]: bdb_idl_fetch_key: [b49d1940]
Jun 2 09:40:35 server2 slapd[41001]: <= bdb_index_read: failed (-30989)
Jun 2 09:40:35 server2 slapd[41001]: <= bdb_equality_candidates: id=0,
first=0, last=0
Jun 2 09:40:35 server2 slapd[41001]: <= bdb_filter_candidates: id=0
first=0 last=0
Jun 2 09:40:35 server2 slapd[41001]: => bdb_filter_candidates
Jun 2 09:40:35 server2 slapd[41001]: AND
Jun 2 09:40:35 server2 slapd[41001]: => bdb_list_candidates 0xa0
Jun 2 09:40:35 server2 slapd[41001]: => bdb_filter_candidates
Jun 2 09:40:35 server2 slapd[41001]: PRESENT
Jun 2 09:40:35 server2 slapd[41001]: => bdb_presence_candidates
(objectClass)
Jun 2 09:40:35 server2 slapd[41001]: <= bdb_filter_candidates: id=-1
first=1 last=12
Jun 2 09:40:35 server2 slapd[41001]: => bdb_filter_candidates
Jun 2 09:40:35 server2 slapd[41001]: EQUALITY
Jun 2 09:40:35 server2 slapd[41001]: => bdb_equality_candidates (uid)
Jun 2 09:40:35 server2 slapd[41001]: <= bdb_equality_candidates: (uid)
not indexed
Jun 2 09:40:35 server2 slapd[41001]: <= bdb_filter_candidates: id=-1
first=1 last=12
Jun 2 09:40:35 server2 slapd[41001]: <= bdb_list_candidates: id=-1
first=1 last=12
Jun 2 09:40:35 server2 slapd[41001]: <= bdb_filter_candidates: id=-1
first=1 last=12
Jun 2 09:40:35 server2 slapd[41001]: <= bdb_list_candidates: id=-1
first=1 last=12
Jun 2 09:40:35 server2 slapd[41001]: <= bdb_filter_candidates: id=-1
first=1 last=12
Jun 2 09:40:35 server2 slapd[41001]: <= bdb_list_candidates: id=3
first=3 last=12
Jun 2 09:40:35 server2 slapd[41001]: <= bdb_filter_candidates: id=3
first=3 last=12
Jun 2 09:40:35 server2 slapd[41001]: bdb_search_candidates: id=3
first=3 last=12
Jun 2 09:40:35 server2 slapd[41001]: => test_filter
Jun 2 09:40:35 server2 slapd[41001]: AND
Jun 2 09:40:35 server2 slapd[41001]: => test_filter_and
Jun 2 09:40:35 server2 slapd[41001]: => test_filter
Jun 2 09:40:35 server2 slapd[41001]: PRESENT
Jun 2 09:40:35 server2 slapd[41001]: => access_allowed: search access
to "ou=groups,dc=my,dc=domain,dc=com" "objectClass"
requested
Jun 2 09:40:35 server2 slapd[41001]: <= root access granted
Jun 2 09:40:35 server2 slapd[41001]: => access_allowed: search access
granted by manage(=mwrscxd)
Jun 2 09:40:35 server2 slapd[41001]: <= test_filter 6
Jun 2 09:40:35 server2 slapd[41001]: => test_filter
Jun 2 09:40:35 server2 slapd[41001]: EQUALITY
Jun 2 09:40:35 server2 slapd[41001]: => access_allowed: search access
to "ou=groups,dc=my,dc=domain,dc=com" "uid" requested
Jun 2 09:40:35 server2 slapd[41001]: <= root access granted
Jun 2 09:40:35 server2 slapd[41001]: => access_allowed: search access
granted by manage(=mwrscxd)
Jun 2 09:40:35 server2 slapd[41001]: <= test_filter 5
Jun 2 09:40:35 server2 slapd[41001]: <= test_filter_and 5
Jun 2 09:40:35 server2 slapd[41001]: <= test_filter 5
Jun 2 09:40:35 server2 slapd[41001]: bdb_search: 3 does not match filter
Jun 2 09:40:35 server2 slapd[41001]: => test_filter
Jun 2 09:40:35 server2 slapd[41001]: AND
Jun 2 09:40:35 server2 slapd[41001]: => test_filter_and
Jun 2 09:40:35 server2 slapd[41001]: => test_filter
Jun 2 09:40:35 server2 slapd[41001]: PRESENT
Jun 2 09:40:35 server2 slapd[41001]: => access_allowed: search access
to "cn=SuperTeam,ou=groups,dc=my,dc=domain,dc=com"
"objectClass" requested
Jun 2 09:40:35 server2 slapd[41001]: <= root access granted
Jun 2 09:40:35 server2 slapd[41001]: => access_allowed: search access
granted by manage(=mwrscxd)
Jun 2 09:40:35 server2 slapd[41001]: <= test_filter 6
Jun 2 09:40:35 server2 slapd[41001]: => test_filter
Jun 2 09:40:35 server2 slapd[41001]: EQUALITY
Jun 2 09:40:35 server2 slapd[41001]: => access_allowed: search access
to "cn=SuperTeam,ou=groups,dc=my,dc=domain,dc=com"
"uid" requested
Jun 2 09:40:35 server2 slapd[41001]: <= root access granted
Jun 2 09:40:35 server2 slapd[41001]: => access_allowed: search access
granted by manage(=mwrscxd)
Jun 2 09:40:35 server2 slapd[41001]: <= test_filter 5
Jun 2 09:40:35 server2 slapd[41001]: <= test_filter_and 5
Jun 2 09:40:35 server2 slapd[41001]: <= test_filter 5
Jun 2 09:40:35 server2 slapd[41001]: bdb_search: 11 does not match filter
Jun 2 09:40:35 server2 slapd[41001]: => test_filter
Jun 2 09:40:35 server2 slapd[41001]: AND
Jun 2 09:40:35 server2 slapd[41001]: => test_filter_and
Jun 2 09:40:35 server2 slapd[41001]: => test_filter
Jun 2 09:40:35 server2 slapd[41001]: PRESENT
Jun 2 09:40:35 server2 slapd[41001]: => access_allowed: search access
to "cn=SuperGroup,ou=groups,dc=my,dc=domain,dc=com"
"objectClass" requested
Jun 2 09:40:35 server2 slapd[41001]: <= root access granted
Jun 2 09:40:35 server2 slapd[41001]: => access_allowed: search access
granted by manage(=mwrscxd)
Jun 2 09:40:35 server2 slapd[41001]: <= test_filter 6
Jun 2 09:40:35 server2 slapd[41001]: => test_filter
Jun 2 09:40:35 server2 slapd[41001]: EQUALITY
Jun 2 09:40:35 server2 slapd[41001]: => access_allowed: search access
to "cn=SuperGroup,ou=groups,dc=my,dc=domain,dc=com"
"uid" requested
Jun 2 09:40:35 server2 slapd[41001]: <= root access granted
Jun 2 09:40:35 server2 slapd[41001]: => access_allowed: search access
granted by manage(=mwrscxd)
Jun 2 09:40:35 server2 slapd[41001]: <= test_filter 5
Jun 2 09:40:35 server2 slapd[41001]: <= test_filter_and 5
Jun 2 09:40:35 server2 slapd[41001]: <= test_filter 5
Jun 2 09:40:35 server2 slapd[41001]: bdb_search: 12 does not match filter
Jun 2 09:40:35 server2 slapd[41001]: send_ldap_result: conn=183 op=1 p=3
Jun 2 09:40:35 server2 slapd[41001]: send_ldap_result: err=0 matched=""
text=""
Jun 2 09:40:35 server2 slapd[41001]: send_ldap_response: msgid=2
tag=101 err=0
Jun 2 09:40:35 server2 slapd[41001]: conn=183 op=1 SEARCH RESULT
tag=101 err=0 nentries=0 text=
Jun 2 09:40:35 server2 slapd[41001]: daemon: activity on 1 descriptor
Jun 2 09:40:35 server2 slapd[41001]: daemon: waked
Jun 2 09:40:35 server2 slapd[41001]: daemon: select: listen=6
active_threads=0 tvp=NULL
Jun 2 09:40:35 server2 slapd[41001]: daemon: select: listen=7
active_threads=0 tvp=NULL
Peter Schober wrote:
* Peter Schober <peter.scho...@univie.ac.at> [2009-05-27 12:33]:
I have tried a number of configurations for group authenticaiton, all
without success. Following is the current iteration of my apache
configuration for the superteam.docs directory:
<Directory /files/superteam.docs>
AuthType basic
AuthName "Super Team Members Only"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPBindDN "cn=Manager,dc=my,dc=mydomain,dc=com"
AuthLDAPBindPassword "secret"
AuthLDAPGroupAttribute uniqueMember
AuthLDAPGroupAttributeIsDN off
AuthLDAPURL
"ldap://192.168.0.92:389/ou=groups,dc=my,dc=mydomain,dc=com?cn=SuperTeam?"
Require ldap-group cn=SuperTeam,ou=groups
AllowOverride None
Order allow,deny
Allow from all
Options +Includes
XbitHack on
</Directory>
First, AuthLDAPGroupAttributeIsDN should be on, since obviously your
(unique)member values *are* DNs.
(Btw, unless you require the addtional distinguishing values
uniqueMember allows for -- and from your example you certainly don't
-- you can just as well use the 'member' attribute. Both 'member' and
'uniquemember' need their values to be unique.)
Second, your "Require ldap-group" is somehow truncated, it should be
the full DN of that group (is there some documentation that implies
you can just leave away the baseDN or something?)
Third, the AuthLDAPURL doesn't seem to be right (see RFC 4516 for the
specs and examples). After the DN (which "identifies the base object
of the LDAP search or the target of a non-search operation.") come the
attributes you request, if you want all you'd still need to supply the
'?' with no parameter, otherwise the only one you're interested here
is (unique)member.
Then comes the scope (limit the search to the base of the object given
as the DN of the URL; to one level below the base object, or to a
subtree search, starting from and including the base object), and only
then comes the filter (which you give as cn=SuperTeam).
And with that filter (which is not interpretefd as a filter, because
it's in the wrong part, which you would see in your slapd.log) you'd
only ever find the group cn=SuperTeam, which is not wrong, but
superfluos, since you're 'require'ing the desired group below anyway
with an apache directive (once the syntax is corrected, see my point
two).
I don't think just leaving all the parts after the DN away (so their
defaults get to be used) will help, since the scope defaults to base,
and you'll need at least 'one' or 'sub', unless you specify the exact
name of the required group in the DN of that AuthLDAPURL (which I
douldn't do, since you'd have to mess with AuthLDAPURL for every
directory; same with the group name in the filter, see above).
So I guess a correct LDAP URL for your setup should be something like this:
AuthLDAPURL
ldap://192.168.0.92:389/ou=groups,dc=my,dc=mydomain,dc=com?uniquemember?sub?(objectclass=groupOfUniqueNames)
(The port defaults to 389 so that could be left out as well, I
suppose.)
You could then reuse this AuthLDAPURL for all resources on your
server, adjusting only the "require ldap-group" directive for the
resource at hand.
And two rather generic hints wrt security:
Note that unless your directory server is on the same box or you
consider your network to be secure, you should not connect to your
slapd without securing at least the transport. For that you'd need to
configure your slapd to allow for TLS/SSL connections and supply
STARTTLS at the end of the LDAP URL (seperated by whitespace).
Instead of the STARTTLS parameter you could use ldaps:// for the
scheme, but note that there is no formal specification for LDAPS (in
contrast to LDAP+STARTTLS, see RFC 4513). So this is deprecated and
should not be used.
Also you really should not ever use the rootdn (I guess that is what
your cn=manager object really is) for anything else but directory
administration. Instead create another DN in your DIT and give this DN
the required permission (ACLs) to search and read group objects.
There are no limits to what the rootdn can do, ACLs are not even
evaluated for the rootdn (it's the rootdn, after all ;) so you can't
limit the power of this DN -- and it's password is in your httpd.conf
in the clear!
cheers,
-peter
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org