You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Dmitri Colebatch <co...@gmail.com> on 2006/05/18 09:29:04 UTC
[users@httpd] AuthLDAPUrl failover not working
Hi all,
I've spent an hour googling this so am really hoping this isn't just a
case of me being stupid (although a quick fix would be nice).
We have a apache 2.2.0 (built Dec 21 2005 15:12:36) instance with the
following ldap config:
<Directory />
Options FollowSymLinks
AllowOverride None
AuthType Basic
AuthName "LDAP Authentication"
AuthBasicProvider ldap
AuthLDAPUrl ldap://toyent02/o=users?cn?sub?(objectclass=Person)
AuthLDAPBindDN cn=.......,o=admin
AuthLDAPBindPassword ........
AuthzLDAPAuthoritative off
</Directory>
I've been asked to add failover to the ldap config, which according to
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapurl
should be as simple as changing the AuthLDAPUrl to:
AuthLDAPUrl ldap://toyent02
toyent01/o=users?cn?sub?(objectclass=Person)
but when I do that I get this:
Syntax error on line 316 of /usr/local/apache/conf/httpd.conf:
Invalid LDAP connection mode setting: must be one of NONE, SSL, or TLS/STARTTLS
which makes me think that the "ldap://toyent02" is being interpreted
as the url, and "toyent01/o=users?cn?sub?(objectclass=Person)" as the
connection mode. I can confirm this by changing the config to:
AuthLDAPUrl ldap://toyent02
toyent01/o=users?cn?sub?(objectclass=Person) NONE
which gives me:
Syntax error on line 316 of /usr/local/apache/conf/httpd.conf:
AuthLDAPURL takes 1-2 arguments, URL to define LDAP connection. This
should be an RFC 2255 complaint\nURL of the form ldap://host[:port]/
basedn[?attrib[?scope[?filter]]].\n<ul>\n<li>Host is the name of the
LDAP server. Use a space separated list of hosts \nto specify redund
ant servers.\n<li>Port is optional, and specifies the port to connect
to.\n<li>basedn specifies the base DN to start searches from\n<li>A
ttrib specifies what attribute to search for in the directory. If not
provided, it defaults to <b>uid</b>.\n<li>Scope is the scope of the
search, and can be either <b>sub</b> or <b>one</b>. If not provided,
the default is <b>sub</b>.\n<li>Filter is a filter to use in the se
arch. If not provided, defaults to
<b>(objectClass=*)</b>.\n</ul>\nSearches are performed using the
attribute and the filter combined. Fo r example, assume that
the\nLDAP URL is <b>ldap://ldap.airius.com/ou=People,
o=Airius?uid?sub?(posixid=*)</b>. Searches will\nbe done usi ng the
filter <b>(&((posixid=*))(uid=<i>username</i>))</b>, where
<i>username</i>\nis the user name passed by the HTTP client. The
search will be a subtree search on the branch <b>ou=People,
o=Airius</b>.
so its obviously splitting the arguments based on a space, contrary to the docs.
Has anyone else got ldap configured with failover? The only remotely
close thing google has turned up is this:
http://issues.apache.org/bugzilla/show_bug.cgi?id=30592 but it doesn't
quite fit the bill.
Any ideas?
cheers
dim
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org