[users@httpd] AuthLDAPUrl failover not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all,

I've spent an hour googling this so am really hoping this isn't just a
case of me being stupid (although a quick fix would be nice).

We have a apache 2.2.0 (built Dec 21 2005 15:12:36) instance with the
following ldap config:

<Directory />
   Options FollowSymLinks
   AllowOverride None

       AuthType Basic
       AuthName "LDAP Authentication"
       AuthBasicProvider ldap
       AuthLDAPUrl ldap://toyent02/o=users?cn?sub?(objectclass=Person)
       AuthLDAPBindDN cn=.......,o=admin
       AuthLDAPBindPassword ........
       AuthzLDAPAuthoritative off
</Directory>

I've been asked to add failover to the ldap config, which according to
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#authldapurl
should be as simple as changing the AuthLDAPUrl to:

       AuthLDAPUrl ldap://toyent02
toyent01/o=users?cn?sub?(objectclass=Person)

but when I do that I get this:

Syntax error on line 316 of /usr/local/apache/conf/httpd.conf:
Invalid LDAP connection mode setting: must be one of NONE, SSL, or TLS/STARTTLS

which makes me think that the "ldap://toyent02"; is being interpreted
as the url, and "toyent01/o=users?cn?sub?(objectclass=Person)" as the
connection mode.  I can confirm this by changing the config to:

       AuthLDAPUrl ldap://toyent02
toyent01/o=users?cn?sub?(objectclass=Person) NONE

which gives me:

Syntax error on line 316 of /usr/local/apache/conf/httpd.conf:
AuthLDAPURL takes 1-2 arguments, URL to define LDAP connection. This
should be an RFC 2255 complaint\nURL of the form ldap://host[:port]/
basedn[?attrib[?scope[?filter]]].\n<ul>\n<li>Host is the name of the
LDAP server. Use a space separated list of hosts \nto specify redund
ant servers.\n<li>Port is optional, and specifies the port to connect
to.\n<li>basedn specifies the base DN to start searches from\n<li>A
ttrib specifies what attribute to search for in the directory. If not
provided, it defaults to <b>uid</b>.\n<li>Scope is the scope of the
search, and can be either <b>sub</b> or <b>one</b>. If not provided,
the default is <b>sub</b>.\n<li>Filter is a filter to use in the se
arch. If not provided, defaults to
<b>(objectClass=*)</b>.\n</ul>\nSearches are performed using the
attribute and the filter combined. Fo    r example, assume that
the\nLDAP URL is <b>ldap://ldap.airius.com/ou=People,
o=Airius?uid?sub?(posixid=*)</b>. Searches will\nbe done usi    ng the
filter <b>(&((posixid=*))(uid=<i>username</i>))</b>, where
<i>username</i>\nis the user name passed by the HTTP client. The
search     will be a subtree search on the branch <b>ou=People,
o=Airius</b>.

so its obviously splitting the arguments based on a space, contrary to the docs.

Has anyone else got ldap configured with failover?  The only remotely
close thing google has turned up is this:
http://issues.apache.org/bugzilla/show_bug.cgi?id=30592 but it doesn't
quite fit the bill.

Any ideas?

cheers
dim

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux