[users@httpd] LDAP Authentication and Subgroups/Nested groups

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I am running Apache 2.0.50 with mod_auth_ldap

When I use the 'require group' directive, members of nested groups do not
seem to be recognised.

I am trying to authenticate using:

'require group cn=Authenticated_users,ou=Roles,dc=sample,dc=com'

This group, (Authenticated_Users) has a group called
'cn=Everyone,ou=Groups,dc=sample,dc=com' as a uniqueMember. The user jbloggs
is a member of cn=Everyone.

Apache does not seem to follow the nesting of groups since if I add jbloggs
directly as a uniqueMember of Authenticated_users everything works fine but
when jbloggs is only a member of Everyone, authentication fails.

I am just wondering what the standard, accepted way of setting up LDAP and
apache is. Am I structuring my directory incorrectly? Any help resolving
this would be appreciated.

Thanks,
Alun

The sample ldif is included below:

# OU DEFINITIONS
# People OU - for holding records of all individuals
dn: ou=People,dc=sample,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit

# Groups OU - for holding records of groupings of individuals
dn: ou=Groups,dc=sample,dc=com
ou: Groups
objectClass: top
objectClass: organizationalUnit

# Roles OU - for holding records of roles and the groups to which those
roles have been assigned
dn: ou=Roles,dc=sample,dc=com
ou: Roles
objectClass: top
objectClass: organizationalUnit

# PEOPLE ENTRIES
dn: uid=jbloggs,ou=People,dc=sample,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
sn: Bloggs
cn: Joe
uid: jbloggs
userpassword: no3XJAZeeb9AKbGNY65/masWpZE=
mail: jbloggs@xxxxxxxxxx

# GROUPS ENTRIES
dn: cn=Everyone,ou=Groups,dc=sample,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: Everyone
uniqueMember: uid=jbloggs,ou=People,dc=sample,dc=com

# ROLES ENTRIES
dn: cn=Authenticated_users,ou=Roles,dc=sample,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: Authenticated_users
uniqueMember: cn=Everyone,ou=Groups,dc=sample,dc=com


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux