[users@httpd] Auth LDAP: require group works erratically

[Craig Jackson <cj...@localsurface.com>]

Hi,

It seems I can't get group authentication to work from ldap auth.
Sometimes it works, sometimes it doesn't. Here's from syslog when it
doesn't work on the first try but does work on the second attempt to
login.... [My openldap server does not allow anonymous bind

Jun 19 21:38:15 mail slapd[9081]: conn=93 op=4 SRCH
base="dc=localsurface,dc=com" scope=2
filter="(&(objectClass=CourierMailAccount)(mail=cjackson@localsurface.com))" 
Jun 19 21:38:15 mail slapd[9081]: conn=93 op=4 SRCH attr=mail 
Jun 19 21:38:15 mail slapd[9081]: conn=93 op=4 SEARCH RESULT tag=101
err=0 nentries=0 text= 
Jun 19 21:38:36 mail slapd[9081]: conn=94 op=2 SRCH
base="dc=localsurface,dc=com" scope=2
filter="(&(objectClass=CourierMailAccount)(mail=cjackson@localsurface.com))" 
Jun 19 21:38:36 mail slapd[9081]: conn=94 op=2 SRCH attr=mail 
Jun 19 21:38:36 mail slapd[9081]: conn=94 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text= 
Jun 19 21:38:36 mail slapd[9081]: conn=94 op=3 BIND anonymous
mech=implicit ssf=0 
Jun 19 21:38:36 mail slapd[9081]: conn=94 op=3 BIND
dn="cn=cjackson,ou=localsurface.com,dc=localsurface,dc=com" method=128 
Jun 19 21:38:36 mail slapd[9081]: conn=94 op=3 BIND
dn="cn=cjackson,ou=localsurface.com,dc=localsurface,dc=com" mech=simple
ssf=0 
Jun 19 21:38:36 mail slapd[9081]: conn=94 op=3 RESULT tag=97 err=0 text=
Jun 19 21:38:36 mail slapd[9081]: conn=94 op=4 CMP
dn="cn=digitalmedia,cn=cjackson,ou=localsurface.com,dc=localsurface,dc=com" attr="uniqueMember" 
Jun 19 21:38:36 mail slapd[9081]: conn=94 op=4 RESULT tag=111 err=6
text= ....

This from the Apache error log...
[Sat Jun 19 21:38:15 2004] [warn] [client 10.1.1.3] [9232] auth_ldap
authenticate: user cjackson@localsurface.com authentication failed; URI
/dm/ [User not found][No such object]

Using Apache 2.0.47 compiled like this.....

./configure --enable-ssl --with-ssl=/usr/local/ssl --enable-so
--enable-dav --enable-dav-fs --with-ldap --enable-ldap
--enable-auth-ldap

With this Location directive...

Alias /dm/ /usr/local/apache2/digitalmedia/
<Location /dm/>
Options Indexes MultiViews
AuthType Basic
AuthName "Digital Media"
AuthLDAPEnabled on
AuthLDAPGroupAttribute uniqueMember
AuthLDAPURL
"ldap://localhost:389/dc=localsurface,dc=com?mail?sub?(objectClass=CourierMailAccount)"
AuthLDAPBindDN "cn=da_man,dc=localsurface,dc=com"
AuthLDAPBindPassword "SECRET"
require group
cn=digitalmedia,cn=cjackson,ou=localsurface.com,dc=localsurface,dc=com
        <Limit GET HEAD OPTIONS PROPFIND>
                Allow from all
        </Limit>
DavMinTimeout 3600
</Location>


I have tried various configuration changes to no avail. Why would it
work sometimes and not others?

I am using Kongueror and Firefox to connect.

Thanks,
Craig Jackson


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Auth LDAP: require group works erratically

[Craig Jackson <cj...@localsurface.com>]

On Sat, 2004-06-19 at 21:48, Craig Jackson wrote:
> Hi,
> 
> It seems I can't get group authentication to work from ldap auth.
> Sometimes it works, sometimes it doesn't. Here's from syslog when it
> doesn't work on the first try but does work on the second attempt to
> login.... [My openldap server does not allow anonymous bind
> 

Just to follow up and make things a bit simpler to see

I have specified a binddn and password but it appears that Apache is
rebind after the group check as anonymous or as the group user. Why
would it do that? It needs to be the user I specified to bind with
initially.

Thanks,
Craig Jackson


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Auth LDAP: require group works erratically

[Craig Jackson <cj...@localsurface.com>]

On Sat, 2004-06-19 at 21:48, Craig Jackson wrote:
> Hi,
> 
> It seems I can't get group authentication to work from ldap auth.
> Sometimes it works, sometimes it doesn't. Here's from syslog when it
> doesn't work on the first try but does work on the second attempt to
> login.... [My openldap server does not allow anonymous bind
> 

Further clarification. Here's where I'm getting fouled up.

In the example in the apache docs, it says this....

QUOTE
For example, assume that the following entry existed in the LDAP
directory:
 dn: cn=Administrators, o=Airius
 objectClass: groupOfUniqueNames
 uniqueMember: cn=Barbara Jenson, o=Airius
 uniqueMember: cn=Fred User, o=Airius
The following directive would grant access to both Fred and Barbara:
require group cn=Administrators, o=Airius
ENDQUOTE

HOWEVER, for this to work from my experience, Fred and Barbara would
have to have read access to the Administrator's dn because Apache
rebinds as Fred or Barbara to compare ON THE FIRST attempt. On the
second attempt Apache binds as the user specified by AuthLDAPBindDN.

Thus Fred and Barbara must login TWICE on my server to gain access.
Obviously I'm doing something wrong. Please edify me.

Thanks,
Craig Jackson


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org