You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Andy Kannberg <a....@orange.nl> on 2007/02/26 12:14:13 UTC

[users@httpd] Problem with mod_auth_ldap

Hi,

For our site, we want to start using LDAP for authenticating users to our website.

I'm running some tests, but run into a problem when I want to start giving access by groups.

I've added the following to the httpd.conf :

# LDAP Authentication
<Directory /var/httpd/test>
AuthName "Login"
AuthType Basic

AuthLDAPURL ldap://ldapx.snow.nl/ou=people,dc=snow,dc=nl?uid
AuthLDAPGroupAttribute somegroup
require valid-user
</Directory>

I have a testuser in LDAP, who is a member of the group "techniek"
When the deirective "AuthLDAPGroupAttribute" has the attribute "techniek", the user can access the testdirectory.
But when I change the attribute to another (existing) group in LDAP, from which the testuser is no member, I still can access the page as that testuser. But I would expect that I would not gain access to the page if the group is no corresponding with the group the user belongs to ? 

best regards,
Andy Kannberg
The Netherlands.



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Problem with mod_auth_ldap

Posted by Dmitri Colebatch <di...@colebatch.com>.

Hi Andy,

On 2/26/07, Andy Kannberg <a....@orange.nl> wrote:
> <Directory /var/httpd/test>
> AuthName "Login"
> AuthType Basic
>
> AuthLDAPURL ldap://ldapx.snow.nl/ou=people,dc=snow,dc=nl?uid
> AuthLDAPGroupAttribute somegroup
> require valid-user
> </Directory>

All this does is require that the username/password is correct.  Instead of:
  require valid-user
do
  require group techniek

cheers,
dim

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Problem with mod_auth_ldap

Posted by "John P. Dodge" <do...@cruciate.ca.boeing.com>.

On Mon, 26 Feb 2007, Andy Kannberg wrote:
> For our site, we want to start using LDAP for authenticating users to our website.
>
> I'm running some tests, but run into a problem when I want to start giving access by groups.
>
> I've added the following to the httpd.conf :
>
> # LDAP Authentication
> <Directory /var/httpd/test>
> AuthName "Login"
> AuthType Basic
>
> AuthLDAPURL ldap://ldapx.snow.nl/ou=people,dc=snow,dc=nl?uid
> AuthLDAPGroupAttribute somegroup
> require valid-user
> </Directory>
>
> I have a testuser in LDAP, who is a member of the group "techniek"
> When the deirective "AuthLDAPGroupAttribute" has the attribute "techniek", the user can access the testdirectory.
> But when I change the attribute to another (existing) group in LDAP, from which the testuser is no member, I still can access the page as that testuser. But I would expect that I would not gain access to the page if the group is no corresponding with the group the user belongs to ?
>
This is because you are using "require valid-user" which bypasses the
authorization step and only check the authentication.

You'll need to use "require ldap-group" or "ldap-attribute" or
"ldap-filter" and "AuthzLDAPAuthoritative On" to perform the authx phase.


----------------------------------------
"Mon aéroglisseur est plein d'anguilles"
John P. Dodge
Boeing Shared Services


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org