Hi,
I am using Apache HTTPD 2.2.4 release 4 in Fedora Core 4. I am trying to
protect a cgi-bin folder using LDAP authentication from a OpenLDAP directory
server.
Here is my configuration in httpd.conf:
<Directory "/var/www/cgi-bin">
AuthType Basic
AuthName "CVSweb"
AllowOverride None
Options None
Order deny,allow
Allow from all
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL ldap://
ldap.estream.com.my/ou=engineer,dc=example,dc=com,dc=my?uid?sub?(ob
jectclass=posixAccount)
Require valid-user
</Directory>
When I attempt to access a cgi from cgi-bin via web browser, An usual
user/password dialog prompt and I able to access the cgi after enter correct
user/password information.
However, when I look into the error_log, I found this:
[r...@bee httpd]# less error_log
[Sat Sep 11 11:21:38 2010] [debug] mod_authnz_ldap.c(376): [client
192.168.0.126] [22429]
auth_ldap authenticate: using URL ldap://
ldap.estream.com.my/ou=engineer,dc=estream,dc=com
,dc=my?uid?sub?(objectclass=posixAccount)
[Sat Sep 11 11:21:38 2010] [debug] mod_authnz_ldap.c(475): [client
192.168.0.126] [22429]
auth_ldap authenticate: accepting ccy
[Sat Sep 11 11:21:38 2010] [debug] mod_authnz_ldap.c(842): [client
192.168.0.126] [22429]
auth_ldap authorise: *declining to authorise*
There is a "declining to authorise" showing in the error_log, but it seems
weird as I able to access my cgi using correct user/password pair. Does
anyone know what it means?
My openldap service is host in Fedora Core 13 with SELINUX disable, the
/etc/nsswitch.conf has been patched to disable sssd authentication:
passwd: files ldap #sss
shadow: files ldap #sss
group: files ldap #sss
My openldap service is able to handle STARTTLS connection and it is working
for another 3 samba servers in my network.
--
Best regards,
Chau Chee Yang
E Stream Software Sdn Bhd
URL: www.sql.com.my
SQL Financial Accounting
