Hello,Nobody is using ldap based authentication and authorization, based on group ?
I mean I am testing it for some days and I can't figure out the problem. I really think I'm compliant with the 2.2 doc (for example require ldap-user is working and I don't much difference with require ldap-group ...)
Does anybody succeeded in building such a configuration ?If nobody did, I'll fill a bug report ... (Which is not necessary if someone ever succeed ;-)).
Thank you in advance, Best Regards, Christophe Gravier a écrit :
Hello,Regarding new Apache 2.2 authentification and authorization layers, especially ldap-group ( http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqgroup ), I wanted to build authentification and authorization based on ldap group membership.I build my directive the same way as those man pages, that means: <Location "/DevDSI_trac"> SetEnv TRAC_ENV "/var/trac/DevDSI" AuthType Basic AuthName "DevDSI trac" AuthBasicProvider ldapAuthLDAPURL ldap://ist-guizay.univ-st-etienne.fr:389/ou=person,o=istase,c=fr?uid?sub?(objectClass=*)require ldap-group cn=satin,ou=groups,o=istase,c=fr </Location> This is not working. I did check that ldap-group contains no typo.AuthLDAPURL is ok since I can make it my identification working with "require ldap-user" directive. I also make it working by setting AuthzLDAPAuthoritative to off for "require valid-user" directive (but this is not ldap group based authorization of course).Moreover, my group is declared as follow in my openldap directory: dn: cn=satin,ou=groups,o=istase,c=fr objectClass: groupOfUniqueNames uniqueMember: uid=gravier.christophe,ou=person,o=istase,c=fr uniqueMember: etc....So, when I try to log in the web area, I receive a "401 Authorization required". There's no trace in error log (I got a trace if I enter a bad password though). This means I successfully go through auth type and authentication layers but not through authorization (but no error message in error.log !).My loaded modules are: ls -l /etc/apache2/mods-enabled/ | awk '{print $8}'alias.load, auth_basic.load, authn_file.load, authnz_ldap.load, authz_host.load, authz_owner.load, authz_user.load, autoindex.load, cgi.load, dav.load, dav_svn.load, dir.load, env.load, ldap.load, mime.load, negotiation.load, php4.conf, php4.load, status.loadI think I understand the new architecture well because I clearly made "ldap-user" and "valid-user without ldap authoritative" working. But there's something for ldap-group I can't figure out for a couple of days; that's why I decided to ask on this mailing list.Does anyone have an idea please on my configuration ? I can post info if needed .... Or at least, does anyone have a configuration working with ldap based on groups ?Thank you in advance, Regards.
-- Christophe Gravier Laboratoire DIOM, équipe SATIn - Doctorant http://portail-istase.univ-st-etienne.fr/diom/FRA/Satin.php ISTASE - Ingénieur d'études http://www.istase.com Perso: http://portail-istase.univ-st-etienne.fr/diom/public/cgravier/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|