RES: apache + AD auth

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hey Tony,

Well, I was testing with a lot of possibilites...

When it was working, is was without quotes, like this:

Require ldap-group CN=group_access, OU=Group, DC=domain, DC=com

I did a lot of tests, put the quotes, remove the quotes....

It doesn't work anyway...

Im still looking for a solution..

Thanks

________________________________________
De: Bennett, Tony [Bennett.Tony@xxxxxxxxxxx]
Enviado: quarta-feira, 31 de agosto de 2011 14:14
Para: users@xxxxxxxxxxxxxxxx
Assunto:  RE: apache + AD auth

Diego,

Not sure about 2.2.3, but the current version of the documentation
for the " Require ldap-group" directive (http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqgroup)
Says:

        Require ldap-group
        This directive specifies an LDAP group whose members are allowed access. It takes the distinguished name of the LDAP    group. Note: Do not surround the group name with quotes. For example, assume that the following entry existed in the    LDAP directory:

                dn: cn=Administrators, o=Airius
                objectClass: groupOfUniqueNames
                uniqueMember: cn=Barbara Jenson, o=Airius
                uniqueMember: cn=Fred User, o=Airius

        The following directive would grant access to both Fred and Barbara:

                Require ldap-group cn=Administrators, o=Airius

        Behavior of this directive is modified by the AuthLDAPGroupAttribute and AuthLDAPGroupAttributeIsDN directives.

Note the comment about NOT surrounding the group's DN with quotes...
...you surrounded yours with quotes:
        Require ldap-group "CN=group_access, OU=Group, DC=domain, DC=com"

Don't know if that's the problem (probably not), but it is a deviation from the specs.

-tony

-----Original Message-----
From: Diego Maciel Gomes [mailto:diego.gomes@xxxxxxxxxxxxxx]
Sent: Wednesday, August 31, 2011 9:33 AM
To: users@xxxxxxxxxxxxxxxx
Subject:  RES: apache + AD auth

Anynone?

________________________________________
De: Diego Maciel Gomes [diego.gomes@xxxxxxxxxxxxxx]
Enviado: terça-feira, 30 de agosto de 2011 15:08
Para: users@xxxxxxxxxxxxxxxx
Assunto:  apache + AD auth

Hello All...

I have auth against AD...

It was working fine, in a good day, it stops to work, and I have no idea why it doesnt work now...

So, Im using windows 2008 R2 for windows and httpd-2.2.3-53 red hat OK?

this is my conf inside the virtualhost:

        AuthBasicProvider ldap
        AuthType Basic
        AuthzLDAPAuthoritative off
        AuthName "*** Cuidado - Acesso Restrito ***"
        AuthLDAPURL "ldap://domain.com:389/dc=domain,dc=com?sAMAccountName?sub?(objectClass=*)"
        AuthLDAPBindDN "CN=user_read_ad, OU=People, DC=domain, DC=com"
        AuthLDAPBindPassword pass_user_above
        Require ldap-group "CN=group_access, OU=Group, DC=domain, DC=com"

I know that need to set this value below inside the /etc/openldap/ldap.conf :

REFERRALS off

when I access the directory, its calling the auth. I put my user that have privileges, and I get the error: "500 Internal Server Error" and in the log, i have this:

[Tue Aug 30 14:55:23 2011] [warn] [client 192.168.1.1] [32013] auth_ldap authenticate: user my_user authentication failed; URI /files [ldap_search_ext_s() for user failed][Operations error]

Anyone have any idea??

Thanks anyway,

Diego


--
Esta mensagem foi verificada pelo sistema de antivirus e
 acredita-se estar livre de perigo.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


--
Esta mensagem foi verificada pelo sistema de antivirus e
 acredita-se estar livre de perigo.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


--
Esta mensagem foi verificada pelo sistema de antivirus e
 acredita-se estar livre de perigo.


-- 
Esta mensagem foi verificada pelo sistema de antivirus e
 acredita-se estar livre de perigo.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux