Our LDAP Active Directory tree looks like this:
DC=mycompany,DC=COM
-OU=Accounts
-OU=Usernames
-OU=Finance&Administration
-OU=Generic accounts
-OU=Security
-....
-DC=sng,DC=mycompany,DC=com
-OU=Singapore Users
-DC=uk,DC=mycompany,DC=com
-OU=Accounts
-OU=Users
If I use the following configuration, everything works, except I am not able to
authenticate UK and SNG users because the base of the search does not include
UK ans SNG domains.
AuthBasicProvider ldap
AuthLDAPURL
"ldap://nydomain04.mycompany.com/OU=Accounts,DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "CN=ldap connector,OU=Generic
accounts,OU=Accounts,DC=mycompany,DC=com"
AuthLDAPBindPassword ******
AuthType Basic
AuthName "mycompany Domain"
Require ldap-group CN=JMX_Security, OU=Security, OU=Usernames, OU=Accounts, DC=mycompany,DC=com
[Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(373): [client
192.168.2.75] [3718] auth_ldap authenticate: using URL
ldap://nydomain04.mycompany.com/OU=Accounts,DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)
[Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(454): [client
192.168.2.75] [3718] auth_ldap authenticate: accepting testuser
[Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(691): [client
192.168.2.75] [3718] auth_ldap authorise: require group: testing for group
membership in "CN=JMX_Security, OU=Security, OU=Usernames, OU=Accounts,
DC=mycompany,DC=com"
[Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(697): [client
192.168.2.75] [3718] auth_ldap authorise: require group: testing for member:
CN=Test User,OU=Finance&Administration,OU=Usernames,OU=Accounts,DC=mycompany,DC=com
(CN=JMX_Security, OU=Security, OU=Usernames, OU=Accounts, DC=mycompany,DC=com)
[Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(706): [client
192.168.2.75] [3718] auth_ldap authorise: require group: authorisation
successful (attribute member) [Comparison true (adding to cache)][Compare True]
However, if I use the following configuration (point to the base of AD tree), mod_authnz_ldap.c produces a seg
fault.
AuthBasicProvider ldap
AuthLDAPURL
"ldap://nydomain04.mycompany.com/DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)"
AuthLDAPBindDN "CN=ldap connector,OU=Generic
accounts,OU=Accounts,DC=mycompany,DC=com"
AuthLDAPBindPassword ******
AuthType Basic
AuthName "mycompany Domain"
Require ldap-group CN=JMX_Security, OU=Security, OU=Usernames, OU=Accounts, DC=mycompany,DC=com
[Wed Nov 26 20:24:31 2008] [debug] mod_authnz_ldap.c(373): [client
192.168.2.75] [3110] auth_ldap authenticate: using URL
ldap://nydomain04.mycompany.com/DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)
[Wed Nov 26 20:24:42 2008] [notice] child pid 3110 exit signal Segmentation
fault (11)
# rpm -qi httpd
Name : httpd Relocations: (not relocatable)
Version : 2.2.3 Vendor: CentOS
Release : 11.el5_2.centos.4 Build Date: Wed 12 Nov 2008
10:44:43 AM EST
Install Date: Fri 14 Nov 2008 07:42:56 AM EST Build Host:
Group : System Environment/Daemons Source RPM:
httpd-2.2.3-11.el5_2.centos.4.src.rpm
Size : 2899288 License: Apache Software License
Signature : DSA/SHA1, Wed 12 Nov 2008 05:54:31 PM EST, Key IDa8a447dce8562897
URL : http://httpd.apache.org/
Summary : Apache HTTP Server
Description : The Apache HTTP Server is a powerful, efficient, and extensible
web server.
Is there a way to make mod_authnz_ldap to search across 3 LDAP branches where the user information is stored?
|