You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by jehan procaccia <je...@it-sudparis.eu> on 2008/01/31 16:11:05 UTC
[users@httpd] mod_authnz_ldap AUTHENTICATE_* Env variables ?
hello,
in the doc:
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#exposed
it is said that " all LDAP attributes returned by the query are placed
in the environment, using environment variables with the prefix
"AUTHENTICATE_"
however I cannot see these "AUTHENTICATE_<attr>=value" in my
environement variable !?
my test is based on a simple perl script which show environement variables :
#!/usr/bin/perl
print "Content-type: text/plain\n\n";
foreach $var (sort(keys(%ENV))) {
$val = $ENV{$var};
print "${var}=\"${val}\"\n";
}
my .htaccess file contains
<Limit GET POST>
AuthType CAS
AuthName "INT auth"
AuthLDAPUrl
"ldap://ldap4.int-evry.fr/dc=int-evry,dc=fr?uid,mail,cn,eduPersonAffiliation"
Require ldap-attribute eduPersonAffiliation=employee
</Limit>
Hence, I was expected viriable like AUTHENTICATE_uid ,
AUTHENTICATE_mail, AUTHENTICATE_cn and AUTHENTICATE_eduPersonAffiliation
. None show up, not even in php_info() script :-( . How these variables
can be available ?
I'am on centos5 with httpd-2.2.3
Thanks
PS: similar question with no solutions:
http://www.techlists.org/archives/web/apache-users/2003-10/msg00651.shtml
http://meta.wikimedia.org/wiki/User:Otheus/Auto_Login_via_REMOTE_USER/code
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_authnz_ldap AUTHENTICATE_* Env variables ?
Posted by jehan procaccia <je...@it-sudparis.eu>.
Eric Covener wrote:
> On Jan 31, 2008 12:59 PM, Eric Covener <co...@gmail.com> wrote:
>
>> On Jan 31, 2008 12:16 PM, jehan procaccia
>> <je...@it-sudparis.eu> wrote:
>>
>>
>>> I do enter in mod_auth_cas for authn, then authz is supposed to be
>>> carried out from mod_authnz_ldap,
>>>
>> Peaking at the source, it looks like mod_authnz_ldap only sets this
>> when it authenticates (checks the password) for a request, and not
>> when it does authorization (checks a Require)
>>
>>
>>
>
> Which is vacuously true of mod_authn_dbd (emphasis on authn). Looks
> like a doc bug or a feature request :/
>
I confirm that I get the env variable when using pure mod_authzn_ldap
config, exemple:
<Directory /var/www/html/jehan/cgi3/>
AuthType Basic
AuthName "calaz"
AuthBasicProvider "ldap"
AuthLDAPUrl
"ldap://calaz.int-evry.fr/dc=int-evry,dc=fr?uid,mail,cn,eduPersonAffiliation"
authzldapauthoritative Off
require valid-user
ldap logs when connecting
Feb 5 12:12:38 localhost slapd[16931]: conn=3 op=1 SRCH attr=uid mail
cn eduPersonAffiliation
printenv.pl do show among others:
AUTHENTICATE_EDUPERSONAFFILIATION --> employee
AUTHENTICATE_MAIL --> test.test@int-edu.eu
AUTHENTICATE_CN --> test Test
But as soon as I cascade our mod_auth_cas SSO authn module , I loose
these AUTHENTICATE_* env variables :-( .
##AuthType Basic
## AuthName "calaz"
AuthType CAS
AuthName "CAS SSO"
AuthLDAPUrl
"ldap://calaz.int-evry.fr/dc=int-evry,dc=fr?uid,mail,cn,eduPersonAffiliation"
authzldapauthoritative Off
require valid-user
I do see the ldap request:
Feb 5 12:20:07 localhost slapd[16931]: conn=5 op=1 SRCH attr=uid mail
cn eduPersonAffiliation
but attributes are not available in http env variable anymore .
Is there a way to get these variable AUTHENTICATE_* with an other authn
module ?
Thanks.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_authnz_ldap AUTHENTICATE_* Env variables ?
Posted by Eric Covener <co...@gmail.com>.
On Jan 31, 2008 12:59 PM, Eric Covener <co...@gmail.com> wrote:
> On Jan 31, 2008 12:16 PM, jehan procaccia
> <je...@it-sudparis.eu> wrote:
>
> > I do enter in mod_auth_cas for authn, then authz is supposed to be
> > carried out from mod_authnz_ldap,
>
> Peaking at the source, it looks like mod_authnz_ldap only sets this
> when it authenticates (checks the password) for a request, and not
> when it does authorization (checks a Require)
>
>
Which is vacuously true of mod_authn_dbd (emphasis on authn). Looks
like a doc bug or a feature request :/
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_authnz_ldap AUTHENTICATE_* Env variables ?
Posted by Eric Covener <co...@gmail.com>.
On Jan 31, 2008 12:16 PM, jehan procaccia
<je...@it-sudparis.eu> wrote:
> I do enter in mod_auth_cas for authn, then authz is supposed to be
> carried out from mod_authnz_ldap,
Peaking at the source, it looks like mod_authnz_ldap only sets this
when it authenticates (checks the password) for a request, and not
when it does authorization (checks a Require)
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_authnz_ldap AUTHENTICATE_* Env variables ?
Posted by jehan procaccia <je...@it-sudparis.eu>.
Eric Covener wrote:
> On Jan 31, 2008 10:11 AM, jehan procaccia
> <je...@it-sudparis.eu> wrote:
>
>> hello,
>> however I cannot see these "AUTHENTICATE_<attr>=value" in my
>> environement variable !?
>>
>
>
>> my .htaccess file contains
>>
>> <Limit GET POST>
>> AuthType CAS
>> AuthName "INT auth"
>> AuthLDAPUrl
>> "ldap://ldap4.int-evry.fr/dc=int-evry,dc=fr?uid,mail,cn,eduPersonAffiliation"
>> Require ldap-attribute eduPersonAffiliation=employee
>> </Limit>
>>
>
>
> Are you sure authn/authz are even occuring? No AuthBasicProvider &&
> no AuthUserFile in 2.2.x?
>
I do enter in mod_auth_cas for authn, then authz is supposed to be
carried out from mod_authnz_ldap, I can confirm that I do get
authenticated by mod_auth_cas then I do see an ldap request on the ldap
server for eduPersonAffiliation=employee, and if the user connecting
contains student instead of "employee", he do get an "authorization
refused". Does that prove that authn/authz are even occuring ?
what do you mean by
No AuthBasicProvider &&
no AuthUserFile in 2.2.x?
thanks .
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_authnz_ldap AUTHENTICATE_* Env variables ?
Posted by Eric Covener <co...@gmail.com>.
On Jan 31, 2008 10:11 AM, jehan procaccia
<je...@it-sudparis.eu> wrote:
> hello,
> however I cannot see these "AUTHENTICATE_<attr>=value" in my
> environement variable !?
> my .htaccess file contains
>
> <Limit GET POST>
> AuthType CAS
> AuthName "INT auth"
> AuthLDAPUrl
> "ldap://ldap4.int-evry.fr/dc=int-evry,dc=fr?uid,mail,cn,eduPersonAffiliation"
> Require ldap-attribute eduPersonAffiliation=employee
> </Limit>
Are you sure authn/authz are even occuring? No AuthBasicProvider &&
no AuthUserFile in 2.2.x?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_authnz_ldap AUTHENTICATE_* Env variables ?
Posted by jehan procaccia <je...@it-sudparis.eu>.
Nick Kew wrote:
> On Thu, 31 Jan 2008 16:11:05 +0100
> jehan procaccia <je...@it-sudparis.eu> wrote:
>
>
>> I'am on centos5 with httpd-2.2.3
>>
>
> Read the CHANGES file. I don't recollect exactly when it happened,
> but I'm pretty sure those variables were added more recently than
> 2.2.3.
>
>
I can't see anything regarding "mod_authnz_ldap AUTHENTICATE_" on
http://apache.crihan.fr/dist/httpd/CHANGES_2.2
I just gave it a try on fedora 7 Apache/2.2.6, no way :-( .
If you can confirm me since which release it is available ?
Thanks .
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_authnz_ldap AUTHENTICATE_* Env variables ?
Posted by Nick Kew <ni...@webthing.com>.
On Thu, 31 Jan 2008 16:11:05 +0100
jehan procaccia <je...@it-sudparis.eu> wrote:
> I'am on centos5 with httpd-2.2.3
Read the CHANGES file. I don't recollect exactly when it happened,
but I'm pretty sure those variables were added more recently than
2.2.3.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org