Re: [users@httpd] Apache 2 + LDAP - valid user/pw not authenticated?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Sohail Somani a écrit :
Hi,

I'm trying to set up ldap authentication. I am pretty sure that it
authenticates because if I get the following results from the error logs
in specific situations:

Invalid user: auth_ldap authenticate: user <bad_user> authentication
failed; URI /mypaty [User not found][No such object]
Valid user/invalid pw: user <good_user>: authentication failure for
"/mypath": Password Mismatch
Valid user/valid pw: No output from error log

So I assume that it works and is set up correctly. Additionally, I have
used ldapsearch to verify that the ldap strings are doing the right
dance.

However, in the last case, when it appears that I have authenticated,
Firefox/IE keep popping up the authorization box even when the user/pw
are correct! Here is my relevant (I hope) config:

<Location /mypath>
   AuthType basic
   AuthName "Authentication domain"
   AuthBasicProvider ldap
   AuthzLDAPAuthoritative on
   AuthLDAPURL "ldap://<host>/ou=Development,ou=Corporate
Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
   AuthLDAPBindDN "cn=<bind_user>,ou=Development,ou=Corporate
Users,dc=financialcad,dc=com"
   AuthLDAPBindPassword "<password>"
   SSLRequireSSL
   require valid-user
</Location>

Any assistance would be great!
Are you using Apache >= 2.2 ?

If yes, the "require valid-user" is not the directive for authnz_ldap module/
If you're using apache >= 2.2 and you want to:

1/ allow "any" authenticated user to enter (whatever his group membership is (i.e. no authorization control), you must "bypass" the authz_ldap authorization module by setting "AuthzLDAPAuthoritative" to off (else apache searches for require ldap-user or ldap-group directives)

<Location /mypath>
  AuthType basic
  AuthName "Authentication domain"
  AuthBasicProvider ldap
  AuthzLDAPAuthoritative off
  AuthLDAPURL "ldap://<host>/ou=Development,ou=Corporate
Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
  AuthLDAPBindDN "cn=<bind_user>,ou=Development,ou=Corporate
Users,dc=financialcad,dc=com"
  AuthLDAPBindPassword "<password>"
  SSLRequireSSL
  require valid-user
</Location>


2/ allow a limited list of known users of the directory (need require ldap-user directive and not require ldap-user)

<Location /mypath>
  AuthType basic
  AuthName "Authentication domain"
  AuthBasicProvider ldap
  AuthzLDAPAuthoritative *on*
  AuthLDAPURL "ldap://<host>/ou=Development,ou=Corporate
Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
  AuthLDAPBindDN "cn=<bind_user>,ou=Development,ou=Corporate
Users,dc=financialcad,dc=com"
  AuthLDAPBindPassword "<password>"
  SSLRequireSSL
  require *ldap-user* myuser_uid
</Location>

3/ allow a group of user (authorization based on group membership).

<Location /mypath>
  AuthType basic
  AuthName "Authentication domain"
  AuthBasicProvider ldap
  AuthzLDAPAuthoritative *on*
  AuthLDAPURL "ldap://<host>/ou=Development,ou=Corporate
Users,dc=financialcad,dc=com?sAMAccountName?sub?(objectclass=*)"
  AuthLDAPBindDN "cn=<bind_user>,ou=Development,ou=Corporate
Users,dc=financialcad,dc=com"
  AuthLDAPBindPassword "<password>"
  SSLRequireSSL
  require *ldap-group* my_group_full_dn
</Location>

HTH
Christophe
TIA

Sohail


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




--
Christophe Gravier
Laboratoire DIOM, équipe SATIn - Doctorant http://portail-istase.univ-st-etienne.fr/diom/FRA/Satin.php
ISTASE - Ingénieur d'études http://www.istase.com
Perso: http://portail-istase.univ-st-etienne.fr/diom/public/cgravier/


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux