On 3/20/07, Todd Nine <todd.nine@xxxxxxxxx> wrote:> Hi all,> I'm having a bit of trouble getting mod_authz_ldap to work. I have my OU> layout and my posix groups layout included. I'm simply trying to> authenticate the user "tnine" against the group> cn=development,ou=Groups,dc=arocksoftware,dc=com>>> I receive the following error, so I'm obviously not getting authorized>> auth_ldap authenticate: user tnine authentication failed; URI /vcproject/> [ldap_search_ext_s() for user failed][No such object]>>> I have the following settings in my authorization directive. But I have> several questions. Any help would be greatly appreciated.>> 1. I'm using a posixGroup, is that not possible?> 2. I have set the log level to debug, but I only get the above line in the> error_log. I'd like to see the query string its issuing, is that possible?> 3. I thought that by setting the AuthLDAPGroupAttribute it would find my> username and authenticate me, is that not correct? I personally always look on the ldap back-end side to see the querystring being issued. Which ldap directory are you using Before working with a group, do you have the ldap authenticationworking for a single user? "require valid-user" directive requires that mod_authz_user be loadedand that the AuthzLDAPAuthoritative directive be set to off but youhave it set to off(http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqvaliduser). AuthLDAPGroupAttribute specifies which LDAP attributes are used tocheck for group membership.The require directives are used during the authorization phase: areyou sure you're right in specifying both require valid-user andrequire ldap-group? As said a few lines below, require valid-userrequire an additional authorization modules (mod_authz_user). Whydon't use only require ldap-group? This whay you could let"AuthzLDAPAuthoritative On"? Regards, Gaël
|