I'm able to do LDAP based group authorization when specify the group info as a filter in the LDAP URL but I'd like to configure a more generic LDAP string in the apache config and allow users to control access by group membership using .htaccess files. I'm able to authenticate based on userid/password but can seem to get the config quite right to authorize based on group membership.
These memberships are in the memberOf attribute on User records In the LDAP tree, users are in OU=Company Users, groups are in OU=GroupStuff and OU=Standard under OU=Company Groups. The log files complain that an attribute can't be found for the group value specified. Any ideas? My ldap config looks like this: AuthName "Active Directory" AuthType Basic AuthBasicProvider ldap AuthLDAPBindDN "CN=mybinduser,OU=Generics,OU=Company Users,DC=dev,DC=company,DC=com" AuthLDAPBindPassword secret AuthLDAPRemoteUserAttribute cn AuthLDAPUrl "ldap://dev.company.com:389/OU=Company Users,DC=dev,DC=company,DC=com?cn?sub?" AuthzLDAPAuthoritative on AuthLDAPGroupAttribute memberOf .htaccess file looks like this: require valid-user require ldap-group CN=mygroup,OU=GroupStuff,OU=Company Groups,DC=dev,DC=company,DC=com Logs look like this: [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(875): [6756] auth_ldap url parse: `ldap://dev.company.com:389/OU=Company Users,DC=dev,DC=company,DC=com?cn?sub?' [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(884): [6756] auth_ldap url parse: Host: dev.company.com:389 [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(886): [6756] auth_ldap url parse: Port: 389 [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(888): [6756] auth_ldap url parse: DN: OU= Company Users,DC=dev,DC=company,DC=com [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(890): [6756] auth_ldap url parse: attrib: cn [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(892): [6756] auth_ldap url parse: scope: subtree [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(897): [6756] auth_ldap url parse: filter: (null) [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(977): LDAP: auth_ldap not using SSL connections [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(377): [client 64.102.41.173] [6756] auth_ldap authenticate: using URL ldap://dev.company.com:389/OU= Company Users,DC=dev,DC=company,DC=com?cn?sub? [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(474): [client 64.102.41.173] [6756] auth_ldap authenticate: accepting trice [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(715): [client 64.102.41.173] [6756] auth_ldap authorise: require group: testing for group membership in "CN=mygroup,OU=GroupStuff,OU=Company Groups,DC=dev,DC=company,DC=com" [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(721): [client 64.102.41.173] [6756] auth_ldap authorise: require group: testing for memberOf: CN=trice,OU=Employees,OU=Company Users,DC=dev,DC=company,DC=com (CN=mygroup,OU=GroupStuff,OU=Company Groups,DC=dev,DC=company,DC=com) [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(737): [client 64.102.41.173] [6756] auth_ldap authorise: require group "CN=mygroup,OU=GroupStuff,OU=Company Groups,DC=dev,DC=company,DC=com": authorisation failed [Comparison no such attribute (adding to cache)][No such attribute] [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(852): [client 64.102.41.173] [6756] auth_ldap authorise: authorisation denied My LDAP entry (using the URL above) looks like this: dn:CN=trice,OU=Employees,OU=Company Users,DC=dev,DC=company,DC=com objectClass: top person organizationalPerson user cn: trice <you don't care what my address, mailbox number, etc. is so ... snip> memberOf: CN=mygroup,OU=GroupStuff,OU=Company Groups,DC=dev,DC=company,DC=com CN=admins,OU=Standard,OU=Company Groups,DC=dev,DC= company,DC=com department: 8675309 company: Company, Inc. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
