You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Todd Nine <to...@gmail.com> on 2007/03/20 03:19:15 UTC
[users@httpd] help with mod_authz_ldap
Hi all,
I'm having a bit of trouble getting mod_authz_ldap to work. I have my OU
layout and my posix groups layout included. I'm simply trying to
authenticate the user "tnine" against the group
cn=development,ou=Groups,dc=arocksoftware,dc=com
I receive the following error, so I'm obviously not getting authorized
auth_ldap authenticate: user tnine authentication failed; URI /vcproject/
[ldap_search_ext_s() for user failed][No such object]
I have the following settings in my authorization directive. But I have
several questions. Any help would be greatly appreciated.
1. I'm using a posixGroup, is that not possible?
2. I have set the log level to debug, but I only get the above line in the
error_log. I'd like to see the query string its issuing, is that possible?
3. I thought that by setting the AuthLDAPGroupAttribute it would find my
username and authenticate me, is that not correct?
Thanks in advance for the help.
Todd
subversion.conf file
<Location />
DAV svn
SVNParentPath /srv/svnrepos
# Limit write permission to list of valid users.
# Require SSL connection for password protection.
# SSLRequireSSL
AuthType Basic
AuthName "ARock Software Subversion"
AuthBasicProvider ldap
AuthLDAPURL ldap://ldap:389/
require ldap-group cn=development,ou=Groups,dc=arocksoftware,dc=com
AuthzLDAPAuthoritative on
AuthLDAPGroupAttribute memberUid
AuthzLDAPLogLevel debug
Require valid-user
</Location>
Dump of openldap schema
dn: dc=arocksoftware,dc=com
objectClass: dcObject
objectClass: organization
dc: arocksoftware
o: Arock Software
dn: cn=Manager,dc=arocksoftware,dc=com
cn: Manager
objectClass: organizationalRole
objectClass: top
dn: ou=Groups,dc=arocksoftware,dc=com
ou: Groups
objectClass: organizationalUnit
objectClass: top
dn: cn=development,ou=Groups,dc=arocksoftware,dc=com
cn: development
gidNumber: 1001
objectClass: posixGroup
objectClass: top
memberUid: tnine
dn: ou=People,dc=arocksoftware,dc=com
ou: People
objectClass: organizationalUnit
objectClass: top
dn: ou=Customers,ou=People,dc=arocksoftware,dc=com
ou: Customers
objectClass: organizationalUnit
objectClass: top
dn: ou=Employees,ou=People,dc=arocksoftware,dc=com
ou: Employees
objectClass: organizationalUnit
objectClass: top
dn: cn=Todd Nine,ou=Employees,ou=People,dc=arocksoftware,dc=com
givenName: Todd
sn: Nine
cn: Todd Nine
uid: tnine
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/users/development/ne
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword: {SHA}removed
Re: [users@httpd] help with mod_authz_ldap
Posted by Todd Nine <to...@gmail.com>.
Hopefully this reply will help someone else who has encountered this
problem. Here is my solution, and my understanding of how it works.
Listen 81
<Location />
#subversion configuratoin
DAV svn
SVNParentPath /srv/svnrepos
# Limit write permission to list of valid users.
# Require SSL connection for password protection.
# SSLRequireSSL
AuthType Basic
AuthName "ARock Software Subversion"
#set the authentication to ldap
AuthBasicProvider ldap
#Admin binding
AuthLDAPBindDN cn=Manager,dc=mydomain,dc=com
AuthLDAPBindPassword mypassword
AuthzLDAPAuthoritative off
#Default Search String, this is used to validate users
AuthLDAPURL ldap://ldap:389/ou=Employees,ou=People,dc=mydomain,dc=com
#require a member of the dev group. In my LDAP, the attribute of users
on the posix group is "memberUid"
AuthLDAPGroupAttribute memberUid
#the value of the attribute above is a username, not a full name
AuthLDAPGroupAttributeIsDN off
require ldap-group cn=development,ou=Groups,dc=mydomain,dc=com
</Location>
On 3/20/07, Todd Nine <to...@gmail.com> wrote:
>
> Hi Gaël,
> I'm a bit of an LDAP noob from the administrative side, I've only
> connected and queried information from Java Applications. I've installed
> OpenLDAP on CentOS 4.3, I'm connecting to LDAP from a Fedora 6 box with
> Apache 2.2. I have it partially working thanks to your response! I
> missed the "AuthzLDAPAuthoritative directive be set to off" for require
> valid-user. I have the following configuration and it now works for all
> employee access, but I want to limit it to only developers. The posix group
> "developers" path is below
> cn=development,ou=Groups,dc=arocksoftware,dc=comThe member attribute in
> the development group is "memberUid" for the user id of all members
>
> I tried change the config below to the following parameters, and it won't
> authenticate with the require group on. If I comment out the group
> directive and just go with require valid user, it works. Can I get any help
> on what's wrong with my group query string?
>
> Thanks,
> Todd
>
>
> Working Starting point
> <Location />
> DAV svn
> SVNParentPath /srv/svnrepos
>
> # Limit write permission to list of valid users.
> # Require SSL connection for password protection.
> # SSLRequireSSL
>
> #Admin binding
> AuthLDAPBindDN {admin dn removed}
> AuthLDAPBindPassword {admin password removed}
> AuthzLDAPAuthoritative off
>
> #Default Search String
> AuthLDAPURL
> ldap://ldap:389/ou=Employees,ou=People,dc=arocksoftware,dc=com?uid
>
> #require a member of the dev group
> AuthLDAPGroupAttribute memberUid
> require ldap-group cn=development,ou=Groups,dc=arocksoftware,dc=com
> #Require valid-user
>
> </Location>
>
>
>
>
> On 3/20/07, Gaël Lams < lamsgael@gmail.com> wrote:
> >
> > On 3/20/07, Todd Nine < todd.nine@gmail.com> wrote:
> > > Hi all,
> > > I'm having a bit of trouble getting mod_authz_ldap to work. I have
> > my OU
> > > layout and my posix groups layout included. I'm simply trying to
> > > authenticate the user "tnine" against the group
> > > cn=development,ou=Groups,dc=arocksoftware,dc=com
> > >
> > >
> > > I receive the following error, so I'm obviously not getting
> > authorized
> > >
> > > auth_ldap authenticate: user tnine authentication failed; URI
> > /vcproject/
> > > [ldap_search_ext_s() for user failed][No such object]
> > >
> > >
> > > I have the following settings in my authorization directive. But I
> > have
> > > several questions. Any help would be greatly appreciated.
> > >
> > > 1. I'm using a posixGroup, is that not possible?
> > > 2. I have set the log level to debug, but I only get the above line in
> > the
> > > error_log. I'd like to see the query string its issuing, is that
> > possible?
> > > 3. I thought that by setting the AuthLDAPGroupAttribute it would find
> > my
> > > username and authenticate me, is that not correct?
> >
> > I personally always look on the ldap back-end side to see the query
> > string being issued. Which ldap directory are you using
> >
> > Before working with a group, do you have the ldap authentication
> > working for a single user?
> >
> > "require valid-user" directive requires that mod_authz_user be loaded
> > and that the AuthzLDAPAuthoritative directive be set to off but you
> > have it set to off
> > (http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqvaliduser
> > ).
> >
> > AuthLDAPGroupAttribute specifies which LDAP attributes are used to
> > check for group membership.
> > The require directives are used during the authorization phase: are
> > you sure you're right in specifying both require valid-user and
> > require ldap-group? As said a few lines below, require valid-user
> > require an additional authorization modules (mod_authz_user). Why
> > don't use only require ldap-group? This whay you could let
> > "AuthzLDAPAuthoritative On"?
> >
> > Regards,
> >
> > Gaël
> >
>
>
Re: [users@httpd] help with mod_authz_ldap
Posted by Todd Nine <to...@gmail.com>.
Hi Gaël,
I'm a bit of an LDAP noob from the administrative side, I've only connected
and queried information from Java Applications. I've installed OpenLDAP on
CentOS 4.3, I'm connecting to LDAP from a Fedora 6 box with Apache 2.2. I
have it partially working thanks to your response! I missed the
"AuthzLDAPAuthoritative
directive be set to off" for require valid-user. I have the following
configuration and it now works for all employee access, but I want to limit
it to only developers. The posix group "developers" path is below
cn=development,ou=Groups,dc=arocksoftware,dc=comThe member attribute in the
development group is "memberUid" for the user id of all members
I tried change the config below to the following parameters, and it won't
authenticate with the require group on. If I comment out the group
directive and just go with require valid user, it works. Can I get any help
on what's wrong with my group query string?
Thanks,
Todd
Working Starting point
<Location />
DAV svn
SVNParentPath /srv/svnrepos
# Limit write permission to list of valid users.
# Require SSL connection for password protection.
# SSLRequireSSL
#Admin binding
AuthLDAPBindDN {admin dn removed}
AuthLDAPBindPassword {admin password removed}
AuthzLDAPAuthoritative off
#Default Search String
AuthLDAPURL
ldap://ldap:389/ou=Employees,ou=People,dc=arocksoftware,dc=com?uid
#require a member of the dev group
AuthLDAPGroupAttribute memberUid
require ldap-group cn=development,ou=Groups,dc=arocksoftware,dc=com
#Require valid-user
</Location>
On 3/20/07, Gaël Lams <la...@gmail.com> wrote:
>
> On 3/20/07, Todd Nine <to...@gmail.com> wrote:
> > Hi all,
> > I'm having a bit of trouble getting mod_authz_ldap to work. I have my
> OU
> > layout and my posix groups layout included. I'm simply trying to
> > authenticate the user "tnine" against the group
> > cn=development,ou=Groups,dc=arocksoftware,dc=com
> >
> >
> > I receive the following error, so I'm obviously not getting authorized
> >
> > auth_ldap authenticate: user tnine authentication failed; URI
> /vcproject/
> > [ldap_search_ext_s() for user failed][No such object]
> >
> >
> > I have the following settings in my authorization directive. But I
> have
> > several questions. Any help would be greatly appreciated.
> >
> > 1. I'm using a posixGroup, is that not possible?
> > 2. I have set the log level to debug, but I only get the above line in
> the
> > error_log. I'd like to see the query string its issuing, is that
> possible?
> > 3. I thought that by setting the AuthLDAPGroupAttribute it would find my
> > username and authenticate me, is that not correct?
>
> I personally always look on the ldap back-end side to see the query
> string being issued. Which ldap directory are you using
>
> Before working with a group, do you have the ldap authentication
> working for a single user?
>
> "require valid-user" directive requires that mod_authz_user be loaded
> and that the AuthzLDAPAuthoritative directive be set to off but you
> have it set to off
> (http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqvaliduser).
>
> AuthLDAPGroupAttribute specifies which LDAP attributes are used to
> check for group membership.
> The require directives are used during the authorization phase: are
> you sure you're right in specifying both require valid-user and
> require ldap-group? As said a few lines below, require valid-user
> require an additional authorization modules (mod_authz_user). Why
> don't use only require ldap-group? This whay you could let
> "AuthzLDAPAuthoritative On"?
>
> Regards,
>
> Gaël
>
Re: [users@httpd] help with mod_authz_ldap
Posted by Gaël Lams <la...@gmail.com>.
On 3/20/07, Todd Nine <to...@gmail.com> wrote:
> Hi all,
> I'm having a bit of trouble getting mod_authz_ldap to work. I have my OU
> layout and my posix groups layout included. I'm simply trying to
> authenticate the user "tnine" against the group
> cn=development,ou=Groups,dc=arocksoftware,dc=com
>
>
> I receive the following error, so I'm obviously not getting authorized
>
> auth_ldap authenticate: user tnine authentication failed; URI /vcproject/
> [ldap_search_ext_s() for user failed][No such object]
>
>
> I have the following settings in my authorization directive. But I have
> several questions. Any help would be greatly appreciated.
>
> 1. I'm using a posixGroup, is that not possible?
> 2. I have set the log level to debug, but I only get the above line in the
> error_log. I'd like to see the query string its issuing, is that possible?
> 3. I thought that by setting the AuthLDAPGroupAttribute it would find my
> username and authenticate me, is that not correct?
I personally always look on the ldap back-end side to see the query
string being issued. Which ldap directory are you using
Before working with a group, do you have the ldap authentication
working for a single user?
"require valid-user" directive requires that mod_authz_user be loaded
and that the AuthzLDAPAuthoritative directive be set to off but you
have it set to off
(http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqvaliduser).
AuthLDAPGroupAttribute specifies which LDAP attributes are used to
check for group membership.
The require directives are used during the authorization phase: are
you sure you're right in specifying both require valid-user and
require ldap-group? As said a few lines below, require valid-user
require an additional authorization modules (mod_authz_user). Why
don't use only require ldap-group? This whay you could let
"AuthzLDAPAuthoritative On"?
Regards,
Gaël