You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Jesper Krogh <je...@gmail.com> on 2008/12/05 22:43:07 UTC
[users@httpd] mod_auth_kerb and mod_authnz_ldap
Hi.
I'm trying to get a setup working where kerberos does authentication
and ldap does authorization based on an Active Directory group.
Alone the kerberos stuff works excellent. Even with a "Require group
something" from a group file.
But going to the LDAP configuration something goes wrong:
--- config ---
AuthType Kerberos
AuthName "SPNEGO"
KrbAuthRealms REALM
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbStripRealm on
Krb5Keytab /etc/val.keytab
KrbServiceName <service>
AuthLDAPBindDN "Jesper@domain"
AuthLDAPBindPassword SECRET
AuthzLDAPAuthoritative off
AuthLDAPUrl "ldap://<AD-URI>?sAMAccountName"
Require ldap-group CN=TestGroup,OU=Groups,OU=Company
require valid-user
---------------
When Im' in the group.. it logs:
[Fri Dec 05 21:18:40 2008] [debug] mod_authnz_ldap.c(730): [client
10.194.134.5] [24636] auth_ldap authorise: require group
: authorisation successful (attribute member) [Comparison true
(cached)][Compare True
And when I not in the group it logs:
[Fri Dec 05 22:27:44 2008] [debug] mod_authnz_ldap.c(847): [client
10.194.134.5] [28497] auth_ldap authorise: declining to
authorise
.. Which both seems correct.
The problem is that in both cases I end up getting the pages served.
Why dont I get a 401 in the second situation?
Thanks.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_auth_kerb and mod_authnz_ldap
Posted by Jesper Krogh <je...@gmail.com>.
>> But It still lets people in instead of sending a 401 page.
>
> Weird on a few fronts, are you sure this log entry corresponds to the 200?
Triple checking.. You're right It "just bloody works".
> 1) "AuthzLDAPAuthoritative off" means you should see "declining to
> authorise" instead of "authorization denied"
> 2) Once you see this message, i don't think any other module would be
> have a chance to flip it to a 200
It was the browser cache playing tricks on me, the correct codes was
indeed written in the apachelogs
... when the caching was flushed and.
--
Jesper
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_auth_kerb and mod_authnz_ldap
Posted by Eric Covener <co...@gmail.com>.
On Sat, Dec 6, 2008 at 1:51 AM, Jesper Krogh <je...@gmail.com> wrote:
> On Fri, Dec 5, 2008 at 11:48 PM, Eric Covener <co...@gmail.com> wrote:
>> On 12/5/08, Jesper Krogh <je...@gmail.com> wrote:
>>
>>> Require ldap-group CN=TestGroup,OU=Groups,OU=Company
>>> require valid-user
>>
>> Require directives are OR'ed not AND'ed, despite the way "require" sounds.
>
> Removing the "require valid-user" from the configurataion changes the
> error message to:
> [Sat Dec 06 07:49:26 2008] [debug] mod_authnz_ldap.c(852): [client
> 10.194.134.5] [22264] auth_ldap authorise: authorisation denied
>
> But It still lets people in instead of sending a 401 page.
Weird on a few fronts, are you sure this log entry corresponds to the 200?
1) "AuthzLDAPAuthoritative off" means you should see "declining to
authorise" instead of "authorization denied"
2) Once you see this message, i don't think any other module would be
have a chance to flip it to a 200
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_auth_kerb and mod_authnz_ldap
Posted by Jesper Krogh <je...@gmail.com>.
On Fri, Dec 5, 2008 at 11:48 PM, Eric Covener <co...@gmail.com> wrote:
> On 12/5/08, Jesper Krogh <je...@gmail.com> wrote:
>
>> Require ldap-group CN=TestGroup,OU=Groups,OU=Company
>> require valid-user
>
> Require directives are OR'ed not AND'ed, despite the way "require" sounds.
Removing the "require valid-user" from the configurataion changes the
error message to:
[Sat Dec 06 07:49:26 2008] [debug] mod_authnz_ldap.c(852): [client
10.194.134.5] [22264] auth_ldap authorise: authorisation denied
But It still lets people in instead of sending a 401 page.
--
Jesper
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_auth_kerb and mod_authnz_ldap
Posted by Eric Covener <co...@gmail.com>.
On 12/5/08, Jesper Krogh <je...@gmail.com> wrote:
> Require ldap-group CN=TestGroup,OU=Groups,OU=Company
> require valid-user
Require directives are OR'ed not AND'ed, despite the way "require" sounds.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org