Sohail Somani a écrit :
Hi, I'm trying to set up ldap authentication. I am pretty sure that it authenticates because if I get the following results from the error logs in specific situations: Invalid user: auth_ldap authenticate: user <bad_user> authentication failed; URI /mypaty [User not found][No such object] Valid user/invalid pw: user <good_user>: authentication failure for "/mypath": Password Mismatch Valid user/valid pw: No output from error log So I assume that it works and is set up correctly. Additionally, I have used ldapsearch to verify that the ldap strings are doing the right dance. However, in the last case, when it appears that I have authenticated, Firefox/IE keep popping up the authorization box even when the user/pw are correct! Here is my relevant (I hope) config: <Location /mypath> AuthType basic AuthName "Authentication domain" AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPURL "ldap://<host>/ou=Development,ou=Corporate Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)" AuthLDAPBindDN "cn=<bind_user>,ou=Development,ou=Corporate Users,dc=financialcad,dc=com" AuthLDAPBindPassword "<password>" SSLRequireSSL require valid-user </Location> Any assistance would be great!
Are you using Apache >= 2.2 ?If yes, the "require valid-user" is not the directive for authnz_ldap module/
If you're using apache >= 2.2 and you want to:1/ allow "any" authenticated user to enter (whatever his group membership is (i.e. no authorization control), you must "bypass" the authz_ldap authorization module by setting "AuthzLDAPAuthoritative" to off (else apache searches for require ldap-user or ldap-group directives)
<Location /mypath> AuthType basic AuthName "Authentication domain" AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPURL "ldap://<host>/ou=Development,ou=Corporate Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)" AuthLDAPBindDN "cn=<bind_user>,ou=Development,ou=Corporate Users,dc=financialcad,dc=com" AuthLDAPBindPassword "<password>" SSLRequireSSL require valid-user </Location>2/ allow a limited list of known users of the directory (need require ldap-user directive and not require ldap-user)
<Location /mypath> AuthType basic AuthName "Authentication domain" AuthBasicProvider ldap AuthzLDAPAuthoritative *on* AuthLDAPURL "ldap://<host>/ou=Development,ou=Corporate Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)" AuthLDAPBindDN "cn=<bind_user>,ou=Development,ou=Corporate Users,dc=financialcad,dc=com" AuthLDAPBindPassword "<password>" SSLRequireSSL require *ldap-user* myuser_uid </Location> 3/ allow a group of user (authorization based on group membership). <Location /mypath> AuthType basic AuthName "Authentication domain" AuthBasicProvider ldap AuthzLDAPAuthoritative *on* AuthLDAPURL "ldap://<host>/ou=Development,ou=Corporate Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)" AuthLDAPBindDN "cn=<bind_user>,ou=Development,ou=Corporate Users,dc=financialcad,dc=com" AuthLDAPBindPassword "<password>" SSLRequireSSL require *ldap-group* my_group_full_dn </Location> HTH Christophe
TIA Sohail --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
-- Christophe Gravier Laboratoire DIOM, équipe SATIn - Doctorant http://portail-istase.univ-st-etienne.fr/diom/FRA/Satin.php ISTASE - Ingénieur d'études http://www.istase.com Perso: http://portail-istase.univ-st-etienne.fr/diom/public/cgravier/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|