You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Sohail Somani <s....@fincad.com> on 2006/11/10 02:30:52 UTC
[users@httpd] Apache 2 + LDAP - valid user/pw not authenticated?
Hi,
I'm trying to set up ldap authentication. I am pretty sure that it
authenticates because if I get the following results from the error logs
in specific situations:
Invalid user: auth_ldap authenticate: user <bad_user> authentication
failed; URI /mypaty [User not found][No such object]
Valid user/invalid pw: user <good_user>: authentication failure for
"/mypath": Password Mismatch
Valid user/valid pw: No output from error log
So I assume that it works and is set up correctly. Additionally, I have
used ldapsearch to verify that the ldap strings are doing the right
dance.
However, in the last case, when it appears that I have authenticated,
Firefox/IE keep popping up the authorization box even when the user/pw
are correct! Here is my relevant (I hope) config:
<Location /mypath>
AuthType basic
AuthName "Authentication domain"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldap://<host>/ou=Development,ou=Corporate
Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
AuthLDAPBindDN "cn=<bind_user>,ou=Development,ou=Corporate
Users,dc=financialcad,dc=com"
AuthLDAPBindPassword "<password>"
SSLRequireSSL
require valid-user
</Location>
Any assistance would be great!
TIA
Sohail
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2 + LDAP - valid user/pw not authenticated?
Posted by Christophe Gravier <ch...@univ-st-etienne.fr>.
Sohail Somani a écrit :
> Hi,
>
> I'm trying to set up ldap authentication. I am pretty sure that it
> authenticates because if I get the following results from the error logs
> in specific situations:
>
> Invalid user: auth_ldap authenticate: user <bad_user> authentication
> failed; URI /mypaty [User not found][No such object]
> Valid user/invalid pw: user <good_user>: authentication failure for
> "/mypath": Password Mismatch
> Valid user/valid pw: No output from error log
>
> So I assume that it works and is set up correctly. Additionally, I have
> used ldapsearch to verify that the ldap strings are doing the right
> dance.
>
> However, in the last case, when it appears that I have authenticated,
> Firefox/IE keep popping up the authorization box even when the user/pw
> are correct! Here is my relevant (I hope) config:
>
> <Location /mypath>
> AuthType basic
> AuthName "Authentication domain"
> AuthBasicProvider ldap
> AuthzLDAPAuthoritative on
> AuthLDAPURL "ldap://<host>/ou=Development,ou=Corporate
> Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
> AuthLDAPBindDN "cn=<bind_user>,ou=Development,ou=Corporate
> Users,dc=financialcad,dc=com"
> AuthLDAPBindPassword "<password>"
> SSLRequireSSL
> require valid-user
> </Location>
>
> Any assistance would be great!
>
Are you using Apache >= 2.2 ?
If yes, the "require valid-user" is not the directive for authnz_ldap
module/
If you're using apache >= 2.2 and you want to:
1/ allow "any" authenticated user to enter (whatever his group
membership is (i.e. no authorization control), you must "bypass" the
authz_ldap authorization module by setting "AuthzLDAPAuthoritative" to
off (else apache searches for require ldap-user or ldap-group directives)
<Location /mypath>
AuthType basic
AuthName "Authentication domain"
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://<host>/ou=Development,ou=Corporate
Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
AuthLDAPBindDN "cn=<bind_user>,ou=Development,ou=Corporate
Users,dc=financialcad,dc=com"
AuthLDAPBindPassword "<password>"
SSLRequireSSL
require valid-user
</Location>
2/ allow a limited list of known users of the directory (need require
ldap-user directive and not require ldap-user)
<Location /mypath>
AuthType basic
AuthName "Authentication domain"
AuthBasicProvider ldap
AuthzLDAPAuthoritative *on*
AuthLDAPURL "ldap://<host>/ou=Development,ou=Corporate
Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
AuthLDAPBindDN "cn=<bind_user>,ou=Development,ou=Corporate
Users,dc=financialcad,dc=com"
AuthLDAPBindPassword "<password>"
SSLRequireSSL
require *ldap-user* myuser_uid
</Location>
3/ allow a group of user (authorization based on group membership).
<Location /mypath>
AuthType basic
AuthName "Authentication domain"
AuthBasicProvider ldap
AuthzLDAPAuthoritative *on*
AuthLDAPURL "ldap://<host>/ou=Development,ou=Corporate
Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
AuthLDAPBindDN "cn=<bind_user>,ou=Development,ou=Corporate
Users,dc=financialcad,dc=com"
AuthLDAPBindPassword "<password>"
SSLRequireSSL
require *ldap-group* my_group_full_dn
</Location>
HTH
Christophe
> TIA
>
> Sohail
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
--
Christophe Gravier
Laboratoire DIOM, équipe SATIn - Doctorant http://portail-istase.univ-st-etienne.fr/diom/FRA/Satin.php
ISTASE - Ingénieur d'études http://www.istase.com
Perso: http://portail-istase.univ-st-etienne.fr/diom/public/cgravier/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache 2 + LDAP - valid user/pw not authenticated?
Posted by "John P. Dodge" <do...@cruciate.ca.boeing.com>.
On Thu, 9 Nov 2006, Sohail Somani wrote:
> Hi,
>
> Invalid user: auth_ldap authenticate: user <bad_user> authentication
> failed; URI /mypaty [User not found][No such object]
> Valid user/invalid pw: user <good_user>: authentication failure for
> "/mypath": Password Mismatch
> Valid user/valid pw: No output from error log
>
> <Location /mypath>
> AuthType basic
> AuthName "Authentication domain"
> AuthBasicProvider ldap
> AuthzLDAPAuthoritative on
> AuthLDAPURL "ldap://<host>/ou=Development,ou=Corporate
> Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
> AuthLDAPBindDN "cn=<bind_user>,ou=Development,ou=Corporate
> Users,dc=financialcad,dc=com"
> AuthLDAPBindPassword "<password>"
> SSLRequireSSL
> require valid-user
> </Location>
>
Try:
AuthzLDAPAuthoritative off
This is the required setting when using "require valid-user"
----------------------------------------
"Mon aéroglisseur est plein d'anguilles"
John P. Dodge
Boeing Shared Services
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org