Re: [users@httpd] apache 2.2 and ldap group authentication

Tue, 02 Jun 2009 07:32:37 -0700

Thanks Peter for all of your suggestions. I have followed them all with the exception of your security recommendations. I have avoided this matter in an attempt to minimize the complexity of the problem so my small mind can see what is happening.
As you suggested Peter, I have read logs, rfcs and a great book by Matt Butcher called Mastering OpenLDAP. Ah but my thick skull is still suck. 


Over the last 3 days I have played with a number of configurations and 
executed numerous varieties of searchs.  But to no good.  If you look 
down to the caption "My Best Result,"  It seems OpenLDAP has made it to 
the point where it is searching the 2 cn(s).  But the filter error 
prevents it from finding the uniqueMember.  If you search for 
"bdb_search: 11 does not match filter" and move up 5 or six lines you 
will see what makes me believe this.


I would appreciate help again.


ou=groups content
=============================================================

server2.local # ldapsearch -v -x -w secret -D 
'cn=Manager,dc=my,dc=domain,dc=com' -b 
'ou=groups,dc=my,dc=domain,dc=com' -LLL


       <
ldap_initialize( <DEFAULT> )
filter: (objectclass=*)
requesting: All userApplication attributes
dn: ou=groups,dc=my,dc=domain,dc=com
ou: groups
description: my.domain groups
objectClass: organizationalUnit

dn: cn=SuperTeam,ou=groups,dc=my,dc=domain,dc=com
ou: groups
description: People who are employees of Super Team
uniqueMember: uid=jeffshearer,dc=my,dc=domain,dc=com
uniqueMember: uid=maeshearer,dc=my,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: SuperTeam

dn: cn=SuperGroup,ou=groups,dc=my,dc=domain,dc=com
ou: groups
description: People who are employees of Super Group
uniqueMember: uid=jacksonshearer,dc=my,dc=domain,dc=com
uniqueMember: uid=larryfordham,dc=my,dc=domain,dc=com
uniqueMember: uid=spamimoron,dc=my,dc=domain,dc=com
objectClass: groupOfUniqueNames
cn: SuperGroup


Peter's suggestion
============================================================================

<Directory /files/superteam.docs>
  AuthType basic
  AuthName "Super Team Members Only"
  AuthBasicProvider ldap
  AuthzLDAPAuthoritative on
  AuthLDAPBindDN "cn=Manager,dc=my,dc=domain,dc=com"
  AuthLDAPBindPassword "secret"
  AuthLDAPGroupAttribute uniqueMember
  #AuthLDAPGroupAttribute uid
  AuthLDAPGroupAttributeIsDN on

  #AuthLDAPURL 
"ldap://192.168.0.92:389/ou=groups,dc=my,dc=domain,dc=com -s sub 
(&(objectclass=groupOfUniq

ueNames)(cn=SuperTeam))"

  #AuthLDAPURL 
"ldap://192.168.0.92:389/ou=groups,dc=my,dc=domain,dc=com (cn=SuperTeam)"
  AuthLDAPURL 
"ldap://192.168.0.92:389/ou=groups,dc=my,dc=domain,dc=com?uniqueMember?sub?(objectClass=grou

pOfUniqueNames)"
  #AuthLDAPURL "ldap://192.168.0.92:389/ou=groups,dc=my,dc=domain,dc=com";
  Require ldap-group "cn=SuperTeam,ou=groups,dc=my,dc=domain,dc=com"
  AllowOverride None
  Order allow,deny
  Allow from all
  Options +Includes
  XbitHack on
  </Directory>

Jun  2 10:34:00 server2 slapd[41001]: => bdb_search

Jun  2 10:34:00 server2 slapd[41001]: 
bdb_dn2entry("ou=groups,dc=my,dc=domain,dc=com")
Jun  2 10:34:00 server2 slapd[41001]: => access_allowed: search access 
to "ou=groups,dc=my,dc=domain,dc=com" "entry"


requested
Jun  2 10:34:00 server2 slapd[41001]: <= root access granted

Jun  2 10:34:00 server2 slapd[41001]: => access_allowed: search access 
granted by manage(=mwrscxd)
Jun  2 10:34:00 server2 slapd[41001]: search_candidates: 
base="ou=groups,dc=my,dc=domain,dc=com" (0x00000003) scope=2

Jun  2 10:34:00 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 10:34:00 server2 slapd[41001]:   EQUALITY

Jun  2 10:34:00 server2 slapd[41001]: => bdb_equality_candidates 
(objectClass)

Jun  2 10:34:00 server2 slapd[41001]: => key_read
Jun  2 10:34:00 server2 slapd[41001]: bdb_idl_fetch_key: [01872a84]
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_index_read: failed (-30989)

Jun  2 10:34:00 server2 slapd[41001]: <= bdb_equality_candidates: id=0, 
first=0, last=0
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_filter_candidates: id=0 
first=0 last=0
Jun  2 10:34:00 server2 slapd[41001]: => 
bdb_dn2idl("ou=groups,dc=my,dc=domain,dc=com")
Jun  2 10:34:00 server2 slapd[41001]: bdb_idl_fetch_key: 
@ou=groups,dc=my,dc=domain,dc=com

Jun  2 10:34:00 server2 slapd[41001]: <= bdb_dn2idl: id=3 first=3 last=12
Jun  2 10:34:00 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 10:34:00 server2 slapd[41001]:   AND
Jun  2 10:34:00 server2 slapd[41001]: => bdb_list_candidates 0xa0
Jun  2 10:34:00 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 10:34:00 server2 slapd[41001]:   OR
Jun  2 10:34:00 server2 slapd[41001]: => bdb_list_candidates 0xa1
Jun  2 10:34:00 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 10:34:00 server2 slapd[41001]:   EQUALITY

Jun  2 10:34:00 server2 slapd[41001]: => bdb_equality_candidates 
(objectClass)

Jun  2 10:34:00 server2 slapd[41001]: => key_read
Jun  2 10:34:00 server2 slapd[41001]: bdb_idl_fetch_key: [b49d1940]
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_index_read: failed (-30989)

Jun  2 10:34:00 server2 slapd[41001]: <= bdb_equality_candidates: id=0, 
first=0, last=0
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_filter_candidates: id=0 
first=0 last=0

Jun  2 10:34:00 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 10:34:00 server2 slapd[41001]:   AND
Jun  2 10:34:00 server2 slapd[41001]: => bdb_list_candidates 0xa0
Jun  2 10:34:00 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 10:34:00 server2 slapd[41001]:   EQUALITY

Jun  2 10:34:00 server2 slapd[41001]: => bdb_equality_candidates 
(objectClass)

Jun  2 10:34:00 server2 slapd[41001]: => key_read
Jun  2 10:34:00 server2 slapd[41001]: bdb_idl_fetch_key: [32028718]
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_index_read 2 candidates

Jun  2 10:34:00 server2 slapd[41001]: <= bdb_equality_candidates: id=2, 
first=11, last=12
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_filter_candidates: id=2 
first=11 last=12

Jun  2 10:34:00 server2 slapd[41001]: => bdb_filter_candidates

Jun  2 10:34:00 server2 slapd[41001]: <= bdb_filter_candidates: id=0 
first=0 last=0
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_list_candidates: id=0 
first=11 last=0
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_filter_candidates: id=0 
first=11 last=0
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_list_candidates: id=0 
first=0 last=0
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_filter_candidates: id=0 
first=0 last=0
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_list_candidates: id=0 
first=3 last=0
Jun  2 10:34:00 server2 slapd[41001]: <= bdb_filter_candidates: id=0 
first=3 last=0
Jun  2 10:34:00 server2 slapd[41001]: bdb_search_candidates: id=0 
first=3 last=0

Jun  2 10:34:00 server2 slapd[41001]: bdb_search: no candidates
Jun  2 10:34:00 server2 slapd[41001]: send_ldap_result: conn=186 op=1 p=3

Jun  2 10:34:00 server2 slapd[41001]: send_ldap_result: err=0 matched="" 
text="value does not conform to assertion syntax"
Jun  2 10:34:00 server2 slapd[41001]: send_ldap_response: msgid=2 
tag=101 err=0
Jun  2 10:34:00 server2 slapd[41001]: conn=186 op=1 SEARCH RESULT 
tag=101 err=0 nentries=0 text=value does not conform to


assertion syntax
Jun  2 10:34:00 server2 slapd[41001]: daemon: activity on 1 descriptor
Jun  2 10:34:00 server2 slapd[41001]: daemon: waked

Jun  2 10:34:00 server2 slapd[41001]: daemon: select: listen=6 
active_threads=0 tvp=NULL
Jun  2 10:34:00 server2 slapd[41001]: daemon: select: listen=7 
active_threads=0 tvp=NULL



My Best Result
===============================================================
 <Directory /files/superteam.docs>
  AuthType basic
  AuthName "Super Team Members Only"
  AuthBasicProvider ldap
  AuthzLDAPAuthoritative on
  AuthLDAPBindDN "cn=Manager,dc=my,dc=domain,dc=com"
  AuthLDAPBindPassword "secret"
  AuthLDAPGroupAttribute uniqueMember
  #AuthLDAPGroupAttribute uid
  AuthLDAPGroupAttributeIsDN on

  #AuthLDAPURL 
"ldap://192.168.0.92:389/ou=groups,dc=my,dc=domain,dc=com -s sub 
(&(objectclass=groupOfUniq

ueNames)(cn=SuperTeam))"

  #AuthLDAPURL 
"ldap://192.168.0.92:389/ou=groups,dc=my,dc=domain,dc=com (cn=SuperTeam)"
  #AuthLDAPURL 
"ldap://192.168.0.92:389/ou=groups,dc=my,dc=domain,dc=com?uniqueMember?sub?(objectClass=gro

upOfUniqueNames)"
  AuthLDAPURL "ldap://192.168.0.92:389/ou=groups,dc=my,dc=domain,dc=com";
  Require ldap-group "cn=SuperTeam,ou=groups,dc=my,dc=domain,dc=com"
  AllowOverride None
  Order allow,deny
  Allow from all
  Options +Includes
  XbitHack on
  </Directory>



Jun  2 09:40:35 server2 slapd[41001]: conn=183 op=1 do_search

Jun  2 09:40:35 server2 slapd[41001]: >>> dnPrettyNormal: 
<ou=groups,dc=my,dc=domain,dc=com>
Jun  2 09:40:35 server2 slapd[41001]: <<< dnPrettyNormal: 
<ou=groups,dc=my,dc=domain,dc=com>,


<ou=groups,dc=my,dc=domain,dc=com>

Jun  2 09:40:35 server2 slapd[41001]: SRCH 
"ou=groups,dc=my,dc=domain,dc=com" 2 3

Jun  2 09:40:35 server2 slapd[41001]:     0 0 0
Jun  2 09:40:35 server2 slapd[41001]: begin get_filter
Jun  2 09:40:35 server2 slapd[41001]: AND
Jun  2 09:40:35 server2 slapd[41001]: begin get_filter_list
Jun  2 09:40:35 server2 slapd[41001]: begin get_filter
Jun  2 09:40:35 server2 slapd[41001]: PRESENT
Jun  2 09:40:35 server2 slapd[41001]: end get_filter 0
Jun  2 09:40:35 server2 slapd[41001]: begin get_filter
Jun  2 09:40:35 server2 slapd[41001]: EQUALITY
Jun  2 09:40:35 server2 slapd[41001]: end get_filter 0
Jun  2 09:40:35 server2 slapd[41001]: end get_filter_list
Jun  2 09:40:35 server2 slapd[41001]: end get_filter 0

Jun  2 09:40:35 server2 slapd[41001]:     filter: 
(&(objectClass=*)(uid=jeffshearer))

Jun  2 09:40:35 server2 slapd[41001]:     attrs:
Jun  2 09:40:35 server2 slapd[41001]:

Jun  2 09:40:35 server2 slapd[41001]: conn=183 op=1 SRCH 
base="ou=groups,dc=my,dc=domain,dc=com" scope=2 deref=3


filter="(&(objectClass=*)(uid=jeffshearer))"
Jun  2 09:40:35 server2 slapd[41001]: => bdb_search

Jun  2 09:40:35 server2 slapd[41001]: 
bdb_dn2entry("ou=groups,dc=my,dc=domain,dc=com")
Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
to "ou=groups,dc=my,dc=domain,dc=com" "entry"


requested
Jun  2 09:40:35 server2 slapd[41001]: <= root access granted

Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
granted by manage(=mwrscxd)
Jun  2 09:40:35 server2 slapd[41001]: search_candidates: 
base="ou=groups,dc=my,dc=domain,dc=com" (0x00000003) scope=2

Jun  2 09:40:35 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 09:40:35 server2 slapd[41001]:   EQUALITY

Jun  2 09:40:35 server2 slapd[41001]: => bdb_equality_candidates 
(objectClass)

Jun  2 09:40:35 server2 slapd[41001]: => key_read
Jun  2 09:40:35 server2 slapd[41001]: bdb_idl_fetch_key: [01872a84]
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_index_read: failed (-30989)

Jun  2 09:40:35 server2 slapd[41001]: <= bdb_equality_candidates: id=0, 
first=0, last=0
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_filter_candidates: id=0 
first=0 last=0
Jun  2 09:40:35 server2 slapd[41001]: => 
bdb_dn2idl("ou=groups,dc=my,dc=domain,dc=com")
Jun  2 09:40:35 server2 slapd[41001]: bdb_idl_fetch_key: 
@ou=groups,dc=my,dc=domain,dc=com

Jun  2 09:40:35 server2 slapd[41001]: <= bdb_dn2idl: id=3 first=3 last=12
Jun  2 09:40:35 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 09:40:35 server2 slapd[41001]:   AND
Jun  2 09:40:35 server2 slapd[41001]: => bdb_list_candidates 0xa0
Jun  2 09:40:35 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 09:40:35 server2 slapd[41001]:   OR
Jun  2 09:40:35 server2 slapd[41001]: => bdb_list_candidates 0xa1
Jun  2 09:40:35 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 09:40:35 server2 slapd[41001]:   EQUALITY

Jun  2 09:40:35 server2 slapd[41001]: => bdb_equality_candidates 
(objectClass)

Jun  2 09:40:35 server2 slapd[41001]: => key_read
Jun  2 09:40:35 server2 slapd[41001]: bdb_idl_fetch_key: [b49d1940]
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_index_read: failed (-30989)

Jun  2 09:40:35 server2 slapd[41001]: <= bdb_equality_candidates: id=0, 
first=0, last=0
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_filter_candidates: id=0 
first=0 last=0

Jun  2 09:40:35 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 09:40:35 server2 slapd[41001]:   AND
Jun  2 09:40:35 server2 slapd[41001]: => bdb_list_candidates 0xa0
Jun  2 09:40:35 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 09:40:35 server2 slapd[41001]:   PRESENT

Jun  2 09:40:35 server2 slapd[41001]: => bdb_presence_candidates 
(objectClass)
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_filter_candidates: id=-1 
first=1 last=12

Jun  2 09:40:35 server2 slapd[41001]: => bdb_filter_candidates
Jun  2 09:40:35 server2 slapd[41001]:   EQUALITY
Jun  2 09:40:35 server2 slapd[41001]: => bdb_equality_candidates (uid)

Jun  2 09:40:35 server2 slapd[41001]: <= bdb_equality_candidates: (uid) 
not indexed
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_filter_candidates: id=-1 
first=1 last=12
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_list_candidates: id=-1 
first=1 last=12
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_filter_candidates: id=-1 
first=1 last=12
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_list_candidates: id=-1 
first=1 last=12
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_filter_candidates: id=-1 
first=1 last=12
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_list_candidates: id=3 
first=3 last=12
Jun  2 09:40:35 server2 slapd[41001]: <= bdb_filter_candidates: id=3 
first=3 last=12
Jun  2 09:40:35 server2 slapd[41001]: bdb_search_candidates: id=3 
first=3 last=12

Jun  2 09:40:35 server2 slapd[41001]: => test_filter
Jun  2 09:40:35 server2 slapd[41001]:     AND
Jun  2 09:40:35 server2 slapd[41001]: => test_filter_and
Jun  2 09:40:35 server2 slapd[41001]: => test_filter
Jun  2 09:40:35 server2 slapd[41001]:     PRESENT

Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
to "ou=groups,dc=my,dc=domain,dc=com" "objectClass"


requested
Jun  2 09:40:35 server2 slapd[41001]: <= root access granted

Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
granted by manage(=mwrscxd)

Jun  2 09:40:35 server2 slapd[41001]: <= test_filter 6
Jun  2 09:40:35 server2 slapd[41001]: => test_filter
Jun  2 09:40:35 server2 slapd[41001]:     EQUALITY

Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
to "ou=groups,dc=my,dc=domain,dc=com" "uid" requested

Jun  2 09:40:35 server2 slapd[41001]: <= root access granted

Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
granted by manage(=mwrscxd)

Jun  2 09:40:35 server2 slapd[41001]: <= test_filter 5
Jun  2 09:40:35 server2 slapd[41001]: <= test_filter_and 5
Jun  2 09:40:35 server2 slapd[41001]: <= test_filter 5
Jun  2 09:40:35 server2 slapd[41001]: bdb_search: 3 does not match filter
Jun  2 09:40:35 server2 slapd[41001]: => test_filter
Jun  2 09:40:35 server2 slapd[41001]:     AND
Jun  2 09:40:35 server2 slapd[41001]: => test_filter_and
Jun  2 09:40:35 server2 slapd[41001]: => test_filter
Jun  2 09:40:35 server2 slapd[41001]:     PRESENT

Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
to "cn=SuperTeam,ou=groups,dc=my,dc=domain,dc=com"


"objectClass" requested
Jun  2 09:40:35 server2 slapd[41001]: <= root access granted

Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
granted by manage(=mwrscxd)

Jun  2 09:40:35 server2 slapd[41001]: <= test_filter 6
Jun  2 09:40:35 server2 slapd[41001]: => test_filter
Jun  2 09:40:35 server2 slapd[41001]:     EQUALITY

Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
to "cn=SuperTeam,ou=groups,dc=my,dc=domain,dc=com"


"uid" requested
Jun  2 09:40:35 server2 slapd[41001]: <= root access granted

Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
granted by manage(=mwrscxd)

Jun  2 09:40:35 server2 slapd[41001]: <= test_filter 5
Jun  2 09:40:35 server2 slapd[41001]: <= test_filter_and 5
Jun  2 09:40:35 server2 slapd[41001]: <= test_filter 5
Jun  2 09:40:35 server2 slapd[41001]: bdb_search: 11 does not match filter
Jun  2 09:40:35 server2 slapd[41001]: => test_filter
Jun  2 09:40:35 server2 slapd[41001]:     AND
Jun  2 09:40:35 server2 slapd[41001]: => test_filter_and
Jun  2 09:40:35 server2 slapd[41001]: => test_filter
Jun  2 09:40:35 server2 slapd[41001]:     PRESENT

Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
to "cn=SuperGroup,ou=groups,dc=my,dc=domain,dc=com"


"objectClass" requested
Jun  2 09:40:35 server2 slapd[41001]: <= root access granted

Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
granted by manage(=mwrscxd)

Jun  2 09:40:35 server2 slapd[41001]: <= test_filter 6
Jun  2 09:40:35 server2 slapd[41001]: => test_filter
Jun  2 09:40:35 server2 slapd[41001]:     EQUALITY

Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
to "cn=SuperGroup,ou=groups,dc=my,dc=domain,dc=com"


"uid" requested
Jun  2 09:40:35 server2 slapd[41001]: <= root access granted

Jun  2 09:40:35 server2 slapd[41001]: => access_allowed: search access 
granted by manage(=mwrscxd)

Jun  2 09:40:35 server2 slapd[41001]: <= test_filter 5
Jun  2 09:40:35 server2 slapd[41001]: <= test_filter_and 5
Jun  2 09:40:35 server2 slapd[41001]: <= test_filter 5
Jun  2 09:40:35 server2 slapd[41001]: bdb_search: 12 does not match filter
Jun  2 09:40:35 server2 slapd[41001]: send_ldap_result: conn=183 op=1 p=3

Jun  2 09:40:35 server2 slapd[41001]: send_ldap_result: err=0 matched="" 
text=""
Jun  2 09:40:35 server2 slapd[41001]: send_ldap_response: msgid=2 
tag=101 err=0
Jun  2 09:40:35 server2 slapd[41001]: conn=183 op=1 SEARCH RESULT 
tag=101 err=0 nentries=0 text=

Jun  2 09:40:35 server2 slapd[41001]: daemon: activity on 1 descriptor
Jun  2 09:40:35 server2 slapd[41001]: daemon: waked

Jun  2 09:40:35 server2 slapd[41001]: daemon: select: listen=6 
active_threads=0 tvp=NULL
Jun  2 09:40:35 server2 slapd[41001]: daemon: select: listen=7 
active_threads=0 tvp=NULL



Peter Schober wrote:

* Peter Schober <peter.scho...@univie.ac.at> [2009-05-27 12:33]:

I have tried a number of configurations for group authenticaiton, all 
without success.  Following is the current iteration of my apache 
configuration for the superteam.docs directory:


<Directory /files/superteam.docs>
   AuthType basic
   AuthName "Super Team Members Only"
   AuthBasicProvider ldap
   AuthzLDAPAuthoritative on
   AuthLDAPBindDN "cn=Manager,dc=my,dc=mydomain,dc=com"
   AuthLDAPBindPassword "secret"
   AuthLDAPGroupAttribute uniqueMember
   AuthLDAPGroupAttributeIsDN off

   AuthLDAPURL 
"ldap://192.168.0.92:389/ou=groups,dc=my,dc=mydomain,dc=com?cn=SuperTeam?";

   Require ldap-group cn=SuperTeam,ou=groups
   AllowOverride None
   Order allow,deny
   Allow from all
   Options +Includes
   XbitHack on
   </Directory>

First, AuthLDAPGroupAttributeIsDN should be on, since obviously your
(unique)member values *are* DNs.
(Btw, unless you require the addtional distinguishing values
uniqueMember allows for -- and from your example you certainly don't
--  you can just as well use the 'member' attribute. Both 'member' and
'uniquemember' need their values to be unique.)

Second, your "Require ldap-group" is somehow truncated, it should be
the full DN of that group (is there some documentation that implies
you can just leave away the baseDN or something?)


Third, the AuthLDAPURL doesn't seem to be right (see RFC 4516 for the
specs and examples). After the DN (which "identifies the base object
of the LDAP search or the target of a non-search operation.") come the
attributes you request, if you want all you'd still need to supply the
'?' with no parameter, otherwise the only one you're interested here
is (unique)member.
Then comes the scope (limit the search to the base of the object given
as the DN of the URL; to one level below the base object, or to a
subtree search, starting from and including the base object), and only
then comes the filter (which you give as cn=SuperTeam).

And with that filter (which is not interpretefd as a filter, because
it's in the wrong part, which you would see in your slapd.log) you'd
only ever find the group cn=SuperTeam, which is not wrong, but
superfluos, since you're 'require'ing the desired group below anyway
with an apache directive (once the syntax is corrected, see my point
two).

I don't think just leaving all the parts after the DN away (so their
defaults get to be used) will help, since the scope defaults to base,
and you'll need at least 'one' or 'sub', unless you specify the exact
name of the required group in the DN of that AuthLDAPURL (which I
douldn't do, since you'd have to mess with AuthLDAPURL for every
directory; same with the group name in the filter, see above).

So I guess a correct LDAP URL for your setup should be something like this:

AuthLDAPURL 
ldap://192.168.0.92:389/ou=groups,dc=my,dc=mydomain,dc=com?uniquemember?sub?(objectclass=groupOfUniqueNames)

(The port defaults to 389 so that could be left out as well, I
suppose.)

You could then reuse this AuthLDAPURL for all resources on your
server, adjusting only the "require ldap-group" directive for the
resource at hand.

And two rather generic hints wrt security:

Note that unless your directory server is on the same box or you
consider your network to be secure, you should not connect to your
slapd without securing at least the transport. For that you'd need to
configure your slapd to allow for TLS/SSL connections and supply
STARTTLS at the end of the LDAP URL (seperated by whitespace).
Instead of the STARTTLS parameter you could use ldaps:// for the
scheme, but note that there is no formal specification for LDAPS (in
contrast to LDAP+STARTTLS, see RFC 4513). So this is deprecated and
should not be used.
Also you really should not ever use the rootdn (I guess that is what
your cn=manager object really is) for anything else but directory
administration. Instead create another DN in your DIT and give this DN
the required permission (ACLs) to search and read group objects.
There are no limits to what the rootdn can do, ACLs are not even
evaluated for the rootdn (it's the rootdn, after all ;) so you can't
limit the power of this DN -- and it's password is in your httpd.conf
in the clear!

cheers,
-peter

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org























					Reply via email to