You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Christophe Gravier <ch...@univ-st-etienne.fr> on 2006/11/06 13:41:14 UTC
[users@httpd] Require ldap-group directive issue in Apache 2.2
Hello,
Regarding new Apache 2.2 authentification and authorization layers,
especially ldap-group (
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqgroup ), I
wanted to build authentification and authorization based on ldap group
membership.
I build my directive the same way as those man pages, that means:
<Location "/DevDSI_trac">
SetEnv TRAC_ENV "/var/trac/DevDSI"
AuthType Basic
AuthName "DevDSI trac"
AuthBasicProvider ldap
AuthLDAPURL
ldap://ist-guizay.univ-st-etienne.fr:389/ou=person,o=istase,c=fr?uid?sub?(objectClass=*)
require ldap-group cn=satin,ou=groups,o=istase,c=fr
</Location>
This is not working. I did check that ldap-group contains no typo.
AuthLDAPURL is ok since I can make it my identification working with
"require ldap-user" directive.
I also make it working by setting AuthzLDAPAuthoritative to off for
"require valid-user" directive (but this is not ldap group based
authorization of course).
Moreover, my group is declared as follow in my openldap directory:
dn: cn=satin,ou=groups,o=istase,c=fr
objectClass: groupOfUniqueNames
uniqueMember: uid=gravier.christophe,ou=person,o=istase,c=fr
uniqueMember: etc....
So, when I try to log in the web area, I receive a "401 Authorization
required". There's no trace in error log (I got a trace if I enter a bad
password though).
This means I successfully go through auth type and authentication layers
but not through authorization (but no error message in error.log !).
My loaded modules are:
ls -l /etc/apache2/mods-enabled/ | awk '{print $8}'
alias.load, auth_basic.load, authn_file.load, authnz_ldap.load,
authz_host.load, authz_owner.load, authz_user.load, autoindex.load,
cgi.load, dav.load, dav_svn.load, dir.load, env.load, ldap.load,
mime.load, negotiation.load, php4.conf, php4.load, status.load
I think I understand the new architecture well because I clearly made
"ldap-user" and "valid-user without ldap authoritative" working. But
there's something for ldap-group I can't figure out for a couple of
days; that's why I decided to ask on this mailing list.
Does anyone have an idea please on my configuration ? I can post info if
needed ....
Or at least, does anyone have a configuration working with ldap based on
groups ?
Thank you in advance,
Regards.
--
Christophe Gravier
Laboratoire DIOM, équipe SATIn - Doctorant http://portail-istase.univ-st-etienne.fr/diom/FRA/Satin.php
ISTASE - Ingénieur d'études http://www.istase.com
Perso: http://portail-istase.univ-st-etienne.fr/diom/public/cgravier/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Require ldap-group directive issue in Apache 2.2
Posted by Eric Covener <co...@gmail.com>.
On 11/7/06, Christophe Gravier <ch...@univ-st-etienne.fr> wrote:
> Hello,
>
> Nobody is using ldap based authentication and authorization, based on
> group ?
Your configuration looks identical to mine, except my group
memberships are based on 'member' instead of 'uniquemember' -- but
they're the 2 values tried by apache by default.
You'd probably learn an immense amount of info by looking at an IP
trace between Apache and LDAP formatted by wireshark/ethereal.
Another interesting thing if you're linked against openldap and have
mysterious errors is to turn on debugging in the LDAP library, which
will be dumped to the errorlog. I've been unlucky getting any
environment variable or openldap config file to affect things, but you
can add the following to the util_ldap.c post-config hook:
+{
+ int LDAP_DEBUG_LEVEL = -1;
+ ldap_set_option(NULL , LDAP_OPT_DEBUG_LEVEL, &(LDAP_DEBUG_LEVEL));
+}
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Require ldap-group directive issue in Apache 2.2
Posted by Christophe Gravier <ch...@univ-st-etienne.fr>.
Hello,
Nobody is using ldap based authentication and authorization, based on
group ?
I mean I am testing it for some days and I can't figure out the problem.
I really think I'm compliant with the 2.2 doc (for example require
ldap-user is working and I don't much difference with require ldap-group
...)
Does anybody succeeded in building such a configuration ?
If nobody did, I'll fill a bug report ... (Which is not necessary if
someone ever succeed ;-)).
Thank you in advance,
Best Regards,
Christophe Gravier a écrit :
> Hello,
>
> Regarding new Apache 2.2 authentification and authorization layers,
> especially ldap-group (
> http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqgroup ),
> I wanted to build authentification and authorization based on ldap
> group membership.
>
> I build my directive the same way as those man pages, that means:
>
> <Location "/DevDSI_trac">
> SetEnv TRAC_ENV "/var/trac/DevDSI"
> AuthType Basic
> AuthName "DevDSI trac"
> AuthBasicProvider ldap
> AuthLDAPURL
> ldap://ist-guizay.univ-st-etienne.fr:389/ou=person,o=istase,c=fr?uid?sub?(objectClass=*)
>
> require ldap-group cn=satin,ou=groups,o=istase,c=fr
> </Location>
>
> This is not working. I did check that ldap-group contains no typo.
> AuthLDAPURL is ok since I can make it my identification working with
> "require ldap-user" directive.
> I also make it working by setting AuthzLDAPAuthoritative to off for
> "require valid-user" directive (but this is not ldap group based
> authorization of course).
>
> Moreover, my group is declared as follow in my openldap directory:
> dn: cn=satin,ou=groups,o=istase,c=fr
> objectClass: groupOfUniqueNames
> uniqueMember: uid=gravier.christophe,ou=person,o=istase,c=fr
> uniqueMember: etc....
>
> So, when I try to log in the web area, I receive a "401 Authorization
> required". There's no trace in error log (I got a trace if I enter a
> bad password though).
> This means I successfully go through auth type and authentication
> layers but not through authorization (but no error message in
> error.log !).
>
> My loaded modules are:
> ls -l /etc/apache2/mods-enabled/ | awk '{print $8}'
> alias.load, auth_basic.load, authn_file.load, authnz_ldap.load,
> authz_host.load, authz_owner.load, authz_user.load, autoindex.load,
> cgi.load, dav.load, dav_svn.load, dir.load, env.load, ldap.load,
> mime.load, negotiation.load, php4.conf, php4.load, status.load
>
> I think I understand the new architecture well because I clearly made
> "ldap-user" and "valid-user without ldap authoritative" working. But
> there's something for ldap-group I can't figure out for a couple of
> days; that's why I decided to ask on this mailing list.
>
> Does anyone have an idea please on my configuration ? I can post info
> if needed ....
> Or at least, does anyone have a configuration working with ldap based
> on groups ?
>
> Thank you in advance,
>
> Regards.
>
--
Christophe Gravier
Laboratoire DIOM, équipe SATIn - Doctorant http://portail-istase.univ-st-etienne.fr/diom/FRA/Satin.php
ISTASE - Ingénieur d'études http://www.istase.com
Perso: http://portail-istase.univ-st-etienne.fr/diom/public/cgravier/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Require ldap-group directive issue in Apache 2.2
Posted by "John P. Dodge" <do...@cruciate.ca.boeing.com>.
On Mon, 6 Nov 2006, Christophe Gravier wrote:
> Hello,
>
> Regarding new Apache 2.2 authentification and authorization layers,
> especially ldap-group (
> http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqgroup ), I
> wanted to build authentification and authorization based on ldap group
> membership.
>
> I build my directive the same way as those man pages, that means:
>
> <Location "/DevDSI_trac">
> SetEnv TRAC_ENV "/var/trac/DevDSI"
> AuthType Basic
> AuthName "DevDSI trac"
> AuthBasicProvider ldap
> AuthLDAPURL
> ldap://ist-guizay.univ-st-etienne.fr:389/ou=person,o=istase,c=fr?uid?sub?(objectClass=*)
> require ldap-group cn=satin,ou=groups,o=istase,c=fr
> </Location>
>
>
> Thank you in advance,
>
> Regards.
>
> --
> Christophe Gravier
> Laboratoire DIOM, équipe SATIn - Doctorant http://portail-istase.univ-st-etienne.fr/diom/FRA/Satin.php
I had trouble with LDAP Groups when using Active Directory but I think it
is a symptom of my AD service.
I did hqave success with ldap-filter which I could use to query an
attribute of the uid returned from LDAP (sAMAccountNAme).
require ldap-filter &(memberOf=G4570)
This works for me as the group affiliations are "mostly" described as
attributes in (our) AD.
----------------------------------------
"Mon aéroglisseur est plein d'anguilles"
John P. Dodge
Boeing Shared Services
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org