Re: help with mod_authz_ldap

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hopefully this reply will help someone else who has encountered this problem.  Here is my solution, and my understanding of how it works.

Listen 81

<Location />
#subversion configuratoin
   DAV svn
   SVNParentPath /srv/svnrepos

   # Limit write permission to list of valid users.
   # Require SSL connection for password protection.
   # SSLRequireSSL

   AuthType Basic
   AuthName "ARock Software Subversion"
#set the authentication to ldap
   AuthBasicProvider            ldap


   #Admin binding
   AuthLDAPBindDN cn=Manager,dc=mydomain,dc=com
   AuthLDAPBindPassword mypassword
   AuthzLDAPAuthoritative off

   #Default Search String, this is used to validate users
   AuthLDAPURL ldap://ldap:389/ou=Employees,ou=People,dc=mydomain,dc=com

   #require a member of the dev group.  In my LDAP, the attribute of users on the posix group is "memberUid"
   AuthLDAPGroupAttribute memberUid
   #the value of the attribute above is a username, not a full name
   AuthLDAPGroupAttributeIsDN off
   require ldap-group cn=development,ou=Groups,dc=mydomain,dc=com


</Location>


On 3/20/07, Todd Nine <todd.nine@xxxxxxxxx> wrote:
Hi Gaël,
 
I'm a bit of an LDAP noob from the administrative side, I've only connected and queried information from Java Applications.  I've installed OpenLDAP on CentOS 4.3, I'm connecting to LDAP from a Fedora 6 box with Apache 2.2.  I have it partially working thanks to your response!  I missed the "
AuthzLDAPAuthoritative directive be set to off" for require valid-user.  I have the following configuration and it now works for all employee access, but I want to limit it to only developers.  The posix group "developers" path is below

cn=development,ou=Groups,dc=arocksoftware,dc=com

The member attribute in the development group is "memberUid" for the user id of all members

I tried change the config below to the following parameters, and it won't authenticate with the require group on.  If I comment out the group directive and just go with require valid user, it works.  Can I get any help on what's wrong with my group query string?

Thanks,
Todd


Working Starting point
<Location />
   DAV svn
   SVNParentPath /srv/svnrepos

   # Limit write permission to list of valid users.
   # Require SSL connection for password protection.
   # SSLRequireSSL

   #Admin binding
   AuthLDAPBindDN {admin dn removed}
   AuthLDAPBindPassword {admin password removed}
   AuthzLDAPAuthoritative off

   #Default Search String
   AuthLDAPURL ldap://ldap:389/ou=Employees,ou=People,dc=arocksoftware,dc=com?uid

   #require a member of the dev group
   AuthLDAPGroupAttribute memberUid
   require ldap-group cn=development,ou=Groups,dc=arocksoftware,dc=com
   #Require valid-user

</Location>





On 3/20/07, Gaël Lams < lamsgael@xxxxxxxxx> wrote:
On 3/20/07, Todd Nine < todd.nine@xxxxxxxxx> wrote:
> Hi all,
>   I'm having a bit of trouble getting mod_authz_ldap to work.  I have my OU
> layout and my posix groups layout included.  I'm simply trying to
> authenticate the user "tnine" against the group
>  cn=development,ou=Groups,dc=arocksoftware,dc=com
>
>
>  I receive the following error, so I'm obviously not getting authorized
>
> auth_ldap authenticate: user tnine authentication failed; URI /vcproject/
> [ldap_search_ext_s() for user failed][No such object]
>
>
>  I have the following settings in my authorization directive.  But I have
> several questions.  Any help would be greatly appreciated.
>
> 1. I'm using a posixGroup, is that not possible?
> 2. I have set the log level to debug, but I only get the above line in the
> error_log.  I'd like to see the query string its issuing, is that possible?
> 3. I thought that by setting the AuthLDAPGroupAttribute it would find my
> username and authenticate me, is that not correct?

I personally always look on the ldap back-end side to see the query
string being issued. Which ldap directory are you using

Before working with a group, do you have the ldap authentication
working for a single user?

"require valid-user" directive requires that mod_authz_user be loaded
and that the AuthzLDAPAuthoritative directive be set to off but you
have it set to off
(http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqvaliduser ).

AuthLDAPGroupAttribute specifies which LDAP attributes are used to
check for group membership.
The require directives are used during the authorization phase: are
you sure you're right in specifying both require valid-user and
require ldap-group? As said a few lines below, require valid-user
require an additional authorization modules (mod_authz_user). Why
don't use only require ldap-group? This whay you could let
"AuthzLDAPAuthoritative On"?

Regards,

Gaël



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux