You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Patricia A Moss <pm...@csc.com> on 2010/11/15 20:59:01 UTC
[users@httpd] Group authentication to AD
I am having a problem with apache authenticating using an ldap group. I
have version 2.2.3, of httpd, installed.
My location block is configured as below:
<Location /test_repo>
dav svn
SVNPath /disk01/home/test_repo
AuthType Basic
AuthName "Subversion Repository"
AuthBasicProvider ldap-FCGNET ldap-VIET
AuthzLDAPAuthoritative on
Require valid-user
Require ldap-group CN=Active_Directory Group
Name,OU=U.S.,OU=Groups,DC=domain,DC=com
#Require ldap-user pmoss
</Location>
I've configured my aliases, in my http.conf file, as follows:
<AuthnProviderAlias ldap ldap-FCGNET>
AuthLDAPBindDN FCGNET\account_name
AuthLDAPBindPassword xxxxxxxxxx
AuthLDAPURL
ldap://server.domain.com:3268/DC=domain,DC=com?samAccountName?sub?(objectCategory=person)
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap-VIET>
AuthLDAPBindDN "CN=account_name,OU=Service
Accounts,OU=Users,OU=Production,DC=domain,DC=com"
AuthLDAPBindPassword xxxxxxxxx
AuthLDAPURL
ldap://server.domain.com:3268/DC=domain,DC=com?samAccountName?sub?(objectCategory=person)
</AuthnProviderAlias>
My goal(s):
1. Allow only 1 specific, Active Directory, group access to the
repository.
2. Simultaneously, allow a single user account, that is not a member of
the group, access to the repository
My attempts:
1. Configuration, as above, allows any valid user access to the
repository; whether they are a member of the group or not.
2. If I remove "Require valid-user" then I receive an error when
attempting access the repository and the error.log is as follows:
[Mon Nov 15 14:38:15 2010] [debug] mod_authnz_ldap.c(377): [client
20.8.xxx.18x] [27994] auth_ldap authenticate: using URL
ldap://server.domain.com:3268/DC=domain,DC=com?samAccountName?sub?(objectCategory=person)
[Mon Nov 15 14:38:15 2010] [debug] mod_authnz_ldap.c(474): [client
20.8.xxx.18x] [27994] auth_ldap authenticate: accepting pmoss
[Mon Nov 15 14:38:15 2010] [crit] [client 20.8.232.187] configuration
error: couldn't check access. No groups file?: /test_repo/
3. I tried a "LimitExcept" block, shown below.
<Location /test_repo>
dav svn
SVNPath /disk01/home/test_repo
AuthType Basic
AuthName "Subversion Repository"
AuthBasicProvider ldap-FCGNET ldap-VIET
AuthzLDAPAuthoritative on
#Require valid-user
# Limit R/W access to specified AD group
<LimitExcept GET PROPFIND OPTIONS REPORT>
Require ldap-group CN=Active_Directory Group
Name,OU=U.S.,OU=Groups,DC=domain,DC=com
</LimitExcept>
#Require ldap-user pmoss
</Location>
I could successfully gain access to the repository, and I am not a member
of the group.
4. I uncommented the "Require valid-user" line and was, again, successful
in attempting access; and I am not a member of the group.
5. If I change the AuthzLDAPAuthoritative to off, I can still gain access
to the repository.
In my httpd.conf, I have the following modules:
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule dav_module modules/mod_dav.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule dav_svn_module modules/mod_dav_svn.so
LoadModule authz_svn_module modules/mod_authz_svn.so
LoadModule authn_alias_module modules/mod_authn_alias.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule alias_module modules/mod_alias.so
I've been searching around for answers but nothing seems to be solving my
problem.
I believe I have all the modules loaded that need to be there.
I am not sure what I may be missing from my configuration or what may be
mis-configured. Hopefully someone can help me in achieving the goals.
Thanks in advance.
PATI MOSS
System Engineer Sr. Professional
CSC