Re: [users@httpd] Problem with mod_auth_ldap

["John P. Dodge" <do...@cruciate.ca.boeing.com>]

On Mon, 26 Feb 2007, Andy Kannberg wrote:
> For our site, we want to start using LDAP for authenticating users to our website.
>
> I'm running some tests, but run into a problem when I want to start giving access by groups.
>
> I've added the following to the httpd.conf :
>
> # LDAP Authentication
> <Directory /var/httpd/test>
> AuthName "Login"
> AuthType Basic
>
> AuthLDAPURL ldap://ldapx.snow.nl/ou=people,dc=snow,dc=nl?uid
> AuthLDAPGroupAttribute somegroup
> require valid-user
> </Directory>
>
> I have a testuser in LDAP, who is a member of the group "techniek"
> When the deirective "AuthLDAPGroupAttribute" has the attribute "techniek", the user can access the testdirectory.
> But when I change the attribute to another (existing) group in LDAP, from which the testuser is no member, I still can access the page as that testuser. But I would expect that I would not gain access to the page if the group is no corresponding with the group the user belongs to ?
>
This is because you are using "require valid-user" which bypasses the
authorization step and only check the authentication.

You'll need to use "require ldap-group" or "ldap-attribute" or
"ldap-filter" and "AuthzLDAPAuthoritative On" to perform the authx phase.


----------------------------------------
"Mon aéroglisseur est plein d'anguilles"
John P. Dodge
Boeing Shared Services


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org