I'm not sure I saw an answer. Can someone assist? >Are those different servers, with different Bind-usernames and Passwords? Yes. They are different servers with different bind-usernames.
PATI MOSS System Engineer Sr. Professional CSC From: Igor Galić <i.ga...@brainsware.org> To: users@httpd.apache.org Date: 11/16/2010 06:00 PM Subject: Re: [us...@httpd] Group authentication to AD ----- "Patricia A Moss" <pmo...@csc.com> wrote: > I am having a problem with apache authenticating using an ldap group. > I have version 2.2.3, of httpd, installed. > > My location block is configured as below: > <Location /test_repo> > dav svn > SVNPath /disk01/home/test_repo > AuthType Basic > AuthName "Subversion Repository" > AuthBasicProvider ldap-FCGNET ldap-VIET > AuthzLDAPAuthoritative on > Require valid-user > Require ldap-group CN=Active_Directory Group > Name,OU=U.S.,OU=Groups,DC=domain,DC=com > #Require ldap-user pmoss > </Location> > > I've configured my aliases, in my http.conf file, as follows: > <AuthnProviderAlias ldap ldap-FCGNET> > AuthLDAPBindDN FCGNET\account_name > AuthLDAPBindPassword xxxxxxxxxx > AuthLDAPURL > ldap://server.domain.com:3268/DC=domain,DC=com?samAccountName?sub?(objectCategory=person) > </AuthnProviderAlias> > <AuthnProviderAlias ldap ldap-VIET> > AuthLDAPBindDN "CN=account_name,OU=Service > Accounts,OU=Users,OU=Production,DC=domain,DC=com" > AuthLDAPBindPassword xxxxxxxxx > AuthLDAPURL > ldap://server.domain.com:3268/DC=domain,DC=com?samAccountName?sub?(objectCategory=person) > </AuthnProviderAlias> Are those different servers, with different Bind-usernames and Passwords? If not, you might want to put them in one AuthLDAPURL, as shown here: http://httpd.apache.org/docs/trunk/mod/mod_authnz_ldap.html#authldapurl > > My goal(s): > 1. Allow only 1 specific, Active Directory, group access to the > repository. That should work out fine. > 2. Simultaneously, allow a single user account, that is not a member > of the group, access to the repository Given that the condition is ``Simultaneously'' I'm not entirely sure this will work. It might be pure chance. Only starting 2.3 there where possibilities added to make this kind of thing easily configurable, i.e.: <RequireAny> and <RequireAll> http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html#requireall http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html#requireany http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html#logic > My attempts: > 1. Configuration, as above, allows any valid user access to the > repository; whether they are a member of the group or not. > > 2. If I remove "Require valid-user" then I receive an error when > attempting access the repository and the error.log is as follows: > [Mon Nov 15 14:38:15 2010] [debug] mod_authnz_ldap.c(377): [client > 20.8.xxx.18x] [27994] auth_ldap authenticate: using URL > ldap://server.domain.com:3268/DC=domain,DC=com?samAccountName?sub?(objectCategory=person) > [Mon Nov 15 14:38:15 2010] [debug] mod_authnz_ldap.c(474): [client > 20.8.xxx.18x] [27994] auth_ldap authenticate: accepting pmoss > [Mon Nov 15 14:38:15 2010] [crit] [client 20.8.232.187] configuration > error: couldn't check access. No groups file?: /test_repo/ > > 3. I tried a "LimitExcept" block, shown below. Please don't do that. Limit/LimitExcept are broken. While we're all working hard to fix it in 2.3, let's concentrate on the important things. > <Location /test_repo> > dav svn > SVNPath /disk01/home/test_repo > AuthType Basic > AuthName "Subversion Repository" > AuthBasicProvider ldap-FCGNET ldap-VIET > AuthzLDAPAuthoritative on > #Require valid-user > # Limit R/W access to specified AD group > <LimitExcept GET PROPFIND OPTIONS REPORT> > Require ldap-group CN=Active_Directory Group > Name,OU=U.S.,OU=Groups,DC=domain,DC=com > </LimitExcept> > #Require ldap-user pmoss > </Location> > I could successfully gain access to the repository, and I am not a > member of the group. > > 4. I uncommented the "Require valid-user" line and was, again, > successful in attempting access; and I am not a member of the group. > > 5. If I change the AuthzLDAPAuthoritative to off, I can still gain > access to the repository. > > > In my httpd.conf, I have the following modules: > LoadModule ldap_module modules/mod_ldap.so > LoadModule authnz_ldap_module modules/mod_authnz_ldap.so > LoadModule dav_module modules/mod_dav.so > LoadModule dav_fs_module modules/mod_dav_fs.so > LoadModule cgi_module modules/mod_cgi.so How'd that got in here? Do you really need it? > LoadModule authz_host_module modules/mod_authz_host.so > LoadModule auth_basic_module modules/mod_auth_basic.so > LoadModule dav_svn_module modules/mod_dav_svn.so > LoadModule authz_svn_module modules/mod_authz_svn.so > LoadModule authn_alias_module modules/mod_authn_alias.so Same for these two: > LoadModule authn_file_module modules/mod_authn_file.so > LoadModule authz_owner_module modules/mod_authz_owner.so > LoadModule authz_user_module modules/mod_authz_user.so > LoadModule alias_module modules/mod_alias.so > > > I've been searching around for answers but nothing seems to be solving > my problem. > > I believe I have all the modules loaded that need to be there. > I am not sure what I may be missing from my configuration or what may > be mis-configured. Hopefully someone can help me in achieving the > goals. > > Thanks in advance. > > PATI MOSS > System Engineer Sr. Professional > CSC So long, i -- Igor Galić Tel: +43 (0) 664 886 22 883 Mail: i.ga...@brainsware.org URL: http://brainsware.org/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
