Arkadiy, Take a look at this http://httpd.apache.org/docs/trunk/mod/mod_authn_core.htmlYou can create multiple authentication mechanisms, one for each sub-tree perhaps, and then alias them.
Cheers, Tony On 23/12/2008 19:49, Arkadiy Goykhberg wrote:
Our LDAP Active Directory tree looks like this: DC=mycompany,DC=COM -OU=Accounts -OU=Usernames -OU=Finance&Administration -OU=Generic accounts -OU=Security -.... -DC=sng,DC=mycompany,DC=com -OU=Singapore Users -DC=uk,DC=mycompany,DC=com -OU=Accounts -OU=Users If I use the following configuration, everything works, except I am not able to authenticate UK and SNG users because the base of the search does not include UK ans SNG domains. AuthBasicProvider ldap AuthLDAPURL "ldap://nydomain04.mycompany.com/OU=Accounts,DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*) <http://nydomain04.mycompany.com/OU=Accounts,DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)>" AuthLDAPBindDN "CN=ldap connector,OU=Generic accounts,OU=Accounts,DC=mycompany,DC=com" AuthLDAPBindPassword ****** AuthType Basic AuthName "mycompany Domain" Require ldap-group CN=JMX_Security, OU=Security, OU=Usernames, OU=Accounts, DC=mycompany,DC=com [Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(373): [client 192.168.2.75] [3718] auth_ldap authenticate: using URL ldap://nydomain04.mycompany.com/OU=Accounts,DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*) <http://nydomain04.mycompany.com/OU=Accounts,DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)> [Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(454): [client 192.168.2.75] [3718] auth_ldap authenticate: accepting testuser [Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(691): [client 192.168.2.75] [3718] auth_ldap authorise: require group: testing for group membership in "CN=JMX_Security, OU=Security, OU=Usernames, OU=Accounts, DC=mycompany,DC=com" [Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(697): [client 192.168.2.75] [3718] auth_ldap authorise: require group: testing for member: CN=Test User,OU=Finance&Administration,OU=Usernames,OU=Accounts,DC=mycompany,DC=com (CN=JMX_Security, OU=Security, OU=Usernames, OU=Accounts, DC=mycompany,DC=com) [Wed Nov 26 22:24:36 2008] [debug] mod_authnz_ldap.c(706): [client 192.168.2.75] [3718] auth_ldap authorise: require group: authorisation successful (attribute member) [Comparison true (adding to cache)][Compare True] However, if I use the following configuration (point to the base of AD tree), mod_authnz_ldap.c produces a seg fault. AuthBasicProvider ldap AuthLDAPURL "ldap://nydomain04.mycompany.com/DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*) <http://nydomain04.mycompany.com/DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)>" AuthLDAPBindDN "CN=ldap connector,OU=Generic accounts,OU=Accounts,DC=mycompany,DC=com" AuthLDAPBindPassword ****** AuthType Basic AuthName "mycompany Domain" Require ldap-group CN=JMX_Security, OU=Security, OU=Usernames, OU=Accounts, DC=mycompany,DC=com [Wed Nov 26 20:24:31 2008] [debug] mod_authnz_ldap.c(373): [client 192.168.2.75] [3110] auth_ldap authenticate: using URL ldap://nydomain04.mycompany.com/DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*) <http://nydomain04.mycompany.com/DC=mycompany,DC=com?sAMAccountName?sub?(objectClass=*)> [Wed Nov 26 20:24:42 2008] [notice] child pid 3110 exit signal Segmentation fault (11) # rpm -qi httpd Name : httpd Relocations: (not relocatable) Version : 2.2.3 Vendor: CentOS Release : 11.el5_2.centos.4 Build Date: Wed 12 Nov 2008 10:44:43 AM EST Install Date: Fri 14 Nov 2008 07:42:56 AM EST Build Host: builder16.centos.org <http://builder16.centos.org> Group : System Environment/Daemons Source RPM: httpd-2.2.3-11.el5_2.centos.4.src.rpm Size : 2899288 License: Apache Software License Signature : DSA/SHA1, Wed 12 Nov 2008 05:54:31 PM EST, Key IDa8a447dce8562897 URL : http://httpd.apache.org/ Summary : Apache HTTP Server Description : The Apache HTTP Server is a powerful, efficient, and extensible web server. Is there a way to make mod_authnz_ldap to search across 3 LDAP branches where the user information is stored?
-- ----------------------------------------- Tony Stevenson tony@xxxxxxxxxxx // pctony@xxxxxxxxxx http://www.pc-tony.com/ 1024D/51047D66 ECAF DC55 C608 5E82 0B5E 3359 C9C7 924E 5104 7D66 ----------------------------------------- --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx