Hi.
I'm trying to get a setup working where kerberos does authentication
and ldap does authorization based on an Active Directory group.
Alone the kerberos stuff works excellent. Even with a "Require group
something" from a group file.
But going to the LDAP configuration something goes wrong:
--- config ---
AuthType Kerberos
AuthName "SPNEGO"
KrbAuthRealms REALM
KrbMethodNegotiate on
KrbMethodK5Passwd off
KrbStripRealm on
Krb5Keytab /etc/val.keytab
KrbServiceName <service>
AuthLDAPBindDN "Jesper@domain"
AuthLDAPBindPassword SECRET
AuthzLDAPAuthoritative off
AuthLDAPUrl "ldap://<AD-URI>?sAMAccountName"
Require ldap-group CN=TestGroup,OU=Groups,OU=Company
require valid-user
---------------
When Im' in the group.. it logs:
[Fri Dec 05 21:18:40 2008] [debug] mod_authnz_ldap.c(730): [client
10.194.134.5] [24636] auth_ldap authorise: require group
: authorisation successful (attribute member) [Comparison true
(cached)][Compare True
And when I not in the group it logs:
[Fri Dec 05 22:27:44 2008] [debug] mod_authnz_ldap.c(847): [client
10.194.134.5] [28497] auth_ldap authorise: declining to
authorise
.. Which both seems correct.
The problem is that in both cases I end up getting the pages served.
Why dont I get a 401 in the second situation?
Thanks.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|