You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Andy Kannberg <a....@orange.nl> on 2007/02/26 12:14:13 UTC
[users@httpd] Problem with mod_auth_ldap
Hi,
For our site, we want to start using LDAP for authenticating users to our website.
I'm running some tests, but run into a problem when I want to start giving access by groups.
I've added the following to the httpd.conf :
# LDAP Authentication
<Directory /var/httpd/test>
AuthName "Login"
AuthType Basic
AuthLDAPURL ldap://ldapx.snow.nl/ou=people,dc=snow,dc=nl?uid
AuthLDAPGroupAttribute somegroup
require valid-user
</Directory>
I have a testuser in LDAP, who is a member of the group "techniek"
When the deirective "AuthLDAPGroupAttribute" has the attribute "techniek", the user can access the testdirectory.
But when I change the attribute to another (existing) group in LDAP, from which the testuser is no member, I still can access the page as that testuser. But I would expect that I would not gain access to the page if the group is no corresponding with the group the user belongs to ?
best regards,
Andy Kannberg
The Netherlands.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem with mod_auth_ldap
Posted by Dmitri Colebatch <di...@colebatch.com>.
Hi Andy,
On 2/26/07, Andy Kannberg <a....@orange.nl> wrote:
> <Directory /var/httpd/test>
> AuthName "Login"
> AuthType Basic
>
> AuthLDAPURL ldap://ldapx.snow.nl/ou=people,dc=snow,dc=nl?uid
> AuthLDAPGroupAttribute somegroup
> require valid-user
> </Directory>
All this does is require that the username/password is correct. Instead of:
require valid-user
do
require group techniek
cheers,
dim
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Problem with mod_auth_ldap
Posted by "John P. Dodge" <do...@cruciate.ca.boeing.com>.
On Mon, 26 Feb 2007, Andy Kannberg wrote:
> For our site, we want to start using LDAP for authenticating users to our website.
>
> I'm running some tests, but run into a problem when I want to start giving access by groups.
>
> I've added the following to the httpd.conf :
>
> # LDAP Authentication
> <Directory /var/httpd/test>
> AuthName "Login"
> AuthType Basic
>
> AuthLDAPURL ldap://ldapx.snow.nl/ou=people,dc=snow,dc=nl?uid
> AuthLDAPGroupAttribute somegroup
> require valid-user
> </Directory>
>
> I have a testuser in LDAP, who is a member of the group "techniek"
> When the deirective "AuthLDAPGroupAttribute" has the attribute "techniek", the user can access the testdirectory.
> But when I change the attribute to another (existing) group in LDAP, from which the testuser is no member, I still can access the page as that testuser. But I would expect that I would not gain access to the page if the group is no corresponding with the group the user belongs to ?
>
This is because you are using "require valid-user" which bypasses the
authorization step and only check the authentication.
You'll need to use "require ldap-group" or "ldap-attribute" or
"ldap-filter" and "AuthzLDAPAuthoritative On" to perform the authx phase.
----------------------------------------
"Mon aƩroglisseur est plein d'anguilles"
John P. Dodge
Boeing Shared Services
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org