Le 22/05/2018 à 21:53, Christophe Jaillet a écrit :
Le 22/05/2018 à 14:14, aguayo33 a écrit :Hi! Thanks in advance!I need help with Apache configuration to enable login through Active directory. I want allow login if a user is member of a group contained in other group.Now I have this: Alias /nagios /opt/nagios/share <Directory "/opt/nagios/share"> Options ExecCGI AllowOverride None Order allow,deny Allow from all AuthType Basic AuthName "Acceso restringido" AuthBasicProvider ldap AuthLDAPURL "ldap://server/DC=domain,DC=red?sAMAccountName?sub?(objectClass=*)" AuthLDAPBindDN user@xxxxxxxxxx AuthLDAPBindPassword "xxxxxx" Require ldap-group CN=NAGIOS_EXP,OU=Groups,OU=Administracion Autonomica,OU=<domain>,DC=domain,DC=red </Directory> And Can´t login. If I put: require valid-user it´s go well. [Mon May 21 13:36:05.060787 2018] [authnz_ldap:debug] [pid 9315] mod_authnz_ldap.c(966): [client 10.10.10.10:51069] AH01716: auth_ldap authorise: require group "CN=NAGIOS_EXP,OU=Groups,OU=Administracion Autonomica,OU=<domain>,DC=domain,DC=red": failed [Comparison complete][34 - Invalid DN syntax], checking sub-groups [Mon May 21 13:36:05.062229 2018] [authnz_ldap:debug] [pid 9315] mod_authnz_ldap.c(989): [client 10.10.10.10:51069] AH01718: auth_ldap authorise: require group (sub-group) "CN=NAGIOS_EXP,OU=Groups,OU=Administracion Autonomica,OU=<domain>,DC=domain,DC=red": didn't match with attr DN failed group verification. [member][34 - Invalid DN syntax] [Mon May 21 13:36:05.062250 2018] [authnz_ldap:debug] [pid 9315] mod_authnz_ldap.c(966): [client 10.10.10.10:51069] AH01716: auth_ldap authorise: require group "CN=NAGIOS_EXP,OU=Groups,OU=Administracion Autonomica,OU=<domain>,DC=domain,DC=red": failed [DN failed group verification.][34 - Invalid DN syntax], checking sub-groups [Mon May 21 13:36:05.063471 2018] [authnz_ldap:debug] [pid 9315] mod_authnz_ldap.c(989): [client 10.10.10.10:51069] AH01718: auth_ldap authorise: require group (sub-group) "CN=NAGIOS_EXP,OU=Groups,OU=Administracion Autonomica,OU=<domain>,DC=domain,DC=red": didn't match with attr DN failed group verification. [uniqueMember][34 - Invalid DN syntax] [Mon May 21 13:36:05.063481 2018] [authnz_ldap:debug] [pid 9315] mod_authnz_ldap.c(996): [client 10.10.10.10:51069] AH01720: auth_ldap authorize group: authorization denied for user ext-agumarjo to /nagios/ [Mon May 21 13:36:05.063486 2018] [authz_core:debug] [pid 9315] mod_authz_core.c(809): [client 10.10.10.10:51069] AH01626: authorization result of Require ldap-group CN=NAGIOS_EXP,OU=Groups,OU=Administracion Autonomica,OU=<domain>,DC=domain,DC=red: denied [Mon May 21 13:36:05.063489 2018] [authz_core:debug] [pid 9315] mod_authz_core.c(809): [client 10.10.10.10:51069] AH01626: authorization result of <RequireAny>: denied [Mon May 21 13:36:05.063492 2018] [authz_core:error] [pid 9315] [client 10.10.10.10:51069] AH01631: user ext-agumarjo: authorization failure for "/nagios/": What is I doing bad? THANKS!Hi,just my 2c as I'm not an LDAP user, but "OU=<domain>" looks spurious, because of the '<' and '>'.Is it intended? CJ
Also, even if un-related to your question, you should have a look at the note at the top of https://httpd.apache.org/docs/2.4/en/mod/mod_access_compat.html
In your example "Order allow,deny" and "Allow from all" should not be needed.
CJ --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx