You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Sven Peters <sp...@lucky-tv.de> on 2003/02/04 19:58:19 UTC

[users@httpd] auth_mod_ldap with groups - invalid DN ?

Hi,

I'm trying to use the mod_auth_ldap in 2.0.44 for Group-LDAP Auth.
This is my config (the interesting part):

        <Directory /home/intranet/sysadmin/>
                AuthType Basic
                AuthName "Sysadmin-Bereich"
                order deny,allow
                AuthLDAPEnabled on
                AuthLDAPURL "ldap://localhost/dc=lucky,dc=de?uid
                AuthLDAPGroupAttributeIsDN Off
                AuthLDAPGroupAttribute memberUid
                require group "cn=Domain Admins,ou=Groups,dc=lucky,dc=de"
        </Directory>

When the auth takes progress i get the following in the error_log:

[Tue Feb 04 19:48:37 2003] [debug] mod_auth_ldap.c(261): [client
192.168.3.193] [22043] auth_ldap authenticate: using URL
ldap://localhost/dc=lucky,dc=de?uid
[Tue Feb 04 19:48:37 2003] [debug] mod_auth_ldap.c(329): [client
192.168.3.193] [22043] auth_ldap authenticate: accepting spete
[Tue Feb 04 19:48:37 2003] [debug] mod_auth_ldap.c(549): [client
192.168.3.193] [22043] auth_ldap authorise: require group: testing for group
membership in `"cn=Domain Admins,ou=Groups,dc=lucky,dc=de"'
[Tue Feb 04 19:48:37 2003] [debug] mod_auth_ldap.c(554): [client
192.168.3.193] [22043] auth_ldap authorise: require group: testing for
memberUid: spete ("cn=Domain Admins,ou=Groups,dc=lucky,dc=de")
[Tue Feb 04 19:48:37 2003] [debug] mod_auth_ldap.c(569): [client
192.168.3.193] [22043] auth_ldap authorise: require group: authorisation
failed [Comparison complete][Invalid DN syntax]
[Tue Feb 04 19:48:37 2003] [debug] mod_auth_ldap.c(592): [client
192.168.3.193] [22043] auth_ldap authorise: authorisation denied

Also the ldap.log shows:

Feb  4 19:48:37 mars slapd[21239]: do_compare: invalid dn ("cn=Domain
Admins,ou=Groups,dc=lucky,dc=de")

The part of the LDAP of the group look like:

dn: cn=Domain Admins,ou=Groups,dc=lucky,dc=de
objectClass: posixGroup
gidNumber: 200
cn: Domain Admins
description: Windows Domain Users
memberUid: spete

What's wrong with my config? What do I need to set to provide a valid DN?

Thanks for helping.

--Sven


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] login once for two virtual host

Posted by Joshua Slive <jo...@slive.ca>.

On Thu, 27 Mar 2003, Farid Hamjavar wrote:
> If user logs into doc1web.unm.edu may click on something that will
> land her on doc2web.unm.edu  .... And again, user is prompted
> with login dialog box of course.
>
> How can we avoid that? So users who login once to doc1web.unm.edu
> are not presented with the second login dialog box (for doc2web.unm.edu)

This can't be done with http basic auth.  It violates the basic security
principles because it would allow one host to steal passwords used on
another host.

The only way to do this is to forget http basic auth and use some other
method of session tracking (cookies, URL-path, etc) that allows you to
pass a session between hosts.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[users@httpd] login once for two virtual host

Posted by Farid Hamjavar <ha...@unm.edu>.


Apache 1.3.27
auth_ldap 1.4

hello,

I am not sure (I don't think) this is an auth_ldap question but I may be 
mistaken.


We have two distinct virtual host doc1web.unm.edu and doc2web.unm.edu and
both are getting authenticated with auth_ldap fine. Note that
authenticated (i.e. LDAP bind) is the same for both and same group of 
users ,etc,etc...


We like to do this but we do not know how (or even possible):

If user logs into doc1web.unm.edu may click on something that will
land her on doc2web.unm.edu  .... And again, user is prompted
with login dialog box of course.


How can we avoid that? So users who login once to doc1web.unm.edu
are not presented with the second login dialog box (for doc2web.unm.edu)

Thanks,
Farid
UNM



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org