On Mon, 26 Feb 2007, Andy Kannberg wrote: > For our site, we want to start using LDAP for authenticating users to our website. > > I'm running some tests, but run into a problem when I want to start giving access by groups. > > I've added the following to the httpd.conf : > > # LDAP Authentication > <Directory /var/httpd/test> > AuthName "Login" > AuthType Basic > > AuthLDAPURL ldap://ldapx.snow.nl/ou=people,dc=snow,dc=nl?uid > AuthLDAPGroupAttribute somegroup > require valid-user > </Directory> > > I have a testuser in LDAP, who is a member of the group "techniek" > When the deirective "AuthLDAPGroupAttribute" has the attribute "techniek", the user can access the testdirectory. > But when I change the attribute to another (existing) group in LDAP, from which the testuser is no member, I still can access the page as that testuser. But I would expect that I would not gain access to the page if the group is no corresponding with the group the user belongs to ? > This is because you are using "require valid-user" which bypasses the authorization step and only check the authentication. You'll need to use "require ldap-group" or "ldap-attribute" or "ldap-filter" and "AuthzLDAPAuthoritative On" to perform the authx phase. ---------------------------------------- "Mon aéroglisseur est plein d'anguilles" John P. Dodge Boeing Shared Services --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|