You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2007/11/06 18:03:11 UTC
DO NOT REPLY [Bug 43798] New: - require ldap-group or ldap-user with AuthnProviderAlias is not ok
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43798>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43798
Summary: require ldap-group or ldap-user with AuthnProviderAlias
is not ok
Product: Apache httpd-2
Version: 2.2.6
Platform: PC
OS/Version: Linux
Status: NEW
Severity: major
Priority: P3
Component: mod_authn_ldap
AssignedTo: bugs@httpd.apache.org
ReportedBy: frederic.saintmarcel@inrialpes.fr
I have two example of .htaccess configuration
for this one is OK :
AuthName "test"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPURL ldap://xxx/ou=people,dc=xxx,dc=fr
Require ldap-group cn=xxx,ou=groups,dc=xxx,dc=fr
for this one is not OK with a provider alias
<AuthnProviderAlias ldap ldap-test>
AuthLDAPURL ldap://xxx/ou=people,dc=xxx,dc=fr
</AuthnProviderAlias>
AuthName "test"
AuthType Basic
AuthBasicProvider ldap-test
Require ldap-group cn=xxx,ou=groups,dc=xxx,dc=fr
It seems that the authentification is not ok with a decalaration of provider
alias for a group or a user (with require valid-user its OK for two configuration)
Thanks in advance.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 43798] - require ldap-group or ldap-user with AuthnProviderAlias is not ok
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=43798>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=43798
bnicholes@apache.org changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
------- Additional Comments From bnicholes@apache.org 2008-02-06 16:44 -------
This is actually working as designed. Authentication and autorization are two
different functions. Since the LDAP URL was specified in an
<AuthnProviderAlias> section, the directives in that section only apply to
authentication or Authn. They do not apply to authorization or authz.
Therefore, an LDAP URL still needs to be defined if the authorization
functionality requires it such as in an 'require ldap-group xxx' situation.
The unfortunate thing is that this is not intuitive in apache 2.2. It will
make a little more sense in Apache 2.4 when the directive section
<RequireAlias ... > is introduced. This will allow both the authentication
and authorization functionality to be independently configured with separate
LDAP information if desired. An equivalent <RequireAlias> would appear as:
<RequireAlias ldap-group my-ldap-group cn=xxx,ou=groups,dc=xxx,dc=fr>
AuthLDAPURL ldap://xxx/ou=people,dc=xxx,dc=fr
...
</RequireAlias>
<Directory ..>
...
Require my-ldap-group
</Directory>
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org