RE: mod_authnz_ldap not working?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Have you, anywhere higher up in your configuration, specified AllowOverride
AuthConfig?

If I don't do that then my .htaccess files don't work no matter what is in
them. Perhaps even when doing it in the main config, it requires the same
allowance.


-----Original Message-----
From: Wulf Kaiser [mailto:wulf.kaiser@xxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Friday, January 09, 2009 9:15 AM
To: users@xxxxxxxxxxxxxxxx
Subject: Re:  mod_authnz_ldap not working?

Hi Lars,

thnax for your help, but... i tried:

<Location /etc/misc/downloads/disk_install>
	Order deny,allow
	Deny from All
	AuthName "Download Area - Disk Images"
	AuthType Basic
	AuthBasicProvider ldap
	AuthzLDAPAuthoritative off
	AuthLDAPURL 
ldap://ldap.mydomain.de:389/dc=mydomain,dc=de?cn,userPassword,memberUid,memb
er,gidNumber?sub?(&(objectClass=posixGroup)(gidNumber=915))
	Require valid-user
	Satisfy any
</Location>

according to your configuration. Again no attempt from mod_authnz_ldap 
to query LDAP, access is still granted, no log entries ;-((((

Weird.

- Wulf

Lars schrieb:
> Hi
> 
> I have just gone trough the process of setting up ldapz. Here is my
> working configuration, maybe you can use some of it... ?
> I have used it in an .htaccess file, but it should not be much difference.
> Note: This is for microsoft AD, so you should not need to define that
> weird port..
> 
> <FilesMatch ^network>
> 	Order deny,allow
> 	Deny from All
> 	AuthName "Only IT"
> 	AuthType Basic
> 	AuthBasicProvider ldap
> 	AuthzLDAPAuthoritative off
> 	AuthLDAPURL
"ldap://ldap:3268/OU=RR,DC=ad,DC=ourdomain,DC=com?sAMAccountName?sub?(member
Of=CN=it_dep,OU=Mailing
> lists,OU=RR,DC=ad,DC=ourdomain,DC=com)"
> 	AuthLDAPBindDN "CN=ldapread,OU=Service
users,OU=It,DC=ad,DC=ourdomain,DC=com"
> 	AuthLDAPBindPassword pAss_w0rd
> 	Require valid-user
> 	Satisfy any
> </FilesMatch>
> 
> 
> And offcouse you need to:
> 	LoadModule authz_svn_module	modules/mod_authz_svn.so
> 	LoadModule ldap_module		modules/mod_ldap.so
> 
> 
> Hope this helps..
> 
> Regard
>   Lars
> 
> On Fri, Jan 9, 2009 at 2:00 PM, Wulf Kaiser
> <wulf.kaiser@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
>> Hi Eric,
>>
>> <AuthnProviderAlias ldap group1-access>
>>
>>
ldap://ldap.mydomain.de:389/ou=people,dc=mydomain,dc=de?uid?sub?(objectClass
=*)
>> </AuthnProviderAlias>
>>
>> <Location /etc/misc/downloads/disk_install>
>>    AuthType Basic
>>    AuthName "Download Area - Disk Images"
>>    AuthBasicProvider group1-access
>>    AuthLDAPGroupAttribute memberUid
>>    AuthLDAPGroupAttribute uniqueMember
>>    AuthLDAPGroupAttribute member
>>    Require ldap-group cn=group1,ou=group,dc=mydomain,dc=de
>>    Prder allow,deny
>>    Allow from all
>>    Satisfy All
>> </Location>
>>
>> with the same result: nothing & still ignoring (no log entries)
>>
>> Eric Covener schrieb:
>>> On Fri, Jan 9, 2009 at 7:35 AM, Wulf Kaiser
>>> <wulf.kaiser@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
>>>> Hi Eric,
>>>>
>>>> thanks in advance. I tried that by setting
>>>>   ....
>>>>   Order deny,allow
>>>>   Deny from all
>>>>   Satisfy any
>>>> </Directory>
>>>>
>>>> but without result :-((
>>>>
>>>> I am currently tailing -f the httpd error logs in debug mode, and also
>>>> the
>>>> LDAP logs, but i do not get more out of them then a pain in the eye...
>>>>
>>>> It really seems as mod_(autnz)_ldap is simply ignored.
>>>
>>> Any chance you're blowing this config away implicitly by a Location
>>> container that matches (with e.g. allow from all?)  I would recommend
>>> Satisfy All while testing.
>>>
>> --
>> Grüße,
>>
>> Wulf Kaiser
>> ___________________________
>>
>> IT Services - Web & Database Development
>> Webmaster www.mpimf-heidelberg.mpg.de
>>
>> Max-Planck-Institut für medizinische Forschung
>> Jahnstrasse 29 - 69120 Heidelberg
>> Fon +49 6221 486560    Fax +49 6221 486561
>>
>> SHA1 Fingerprint:
>> 6a a7 67 d6 e0 21 d1 59 d1 73 20 fb e8 b4 d9 51 ac aa 6d 17
>>
>>
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>    "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
> 

-- 
Grüße,

Wulf Kaiser
___________________________

IT Services - Web & Database Development
Webmaster www.mpimf-heidelberg.mpg.de

Max-Planck-Institut für medizinische Forschung
Jahnstrasse 29 - 69120 Heidelberg
Fon +49 6221 486560    Fax +49 6221 486561

SHA1 Fingerprint:
6a a7 67 d6 e0 21 d1 59 d1 73 20 fb e8 b4 d9 51 ac aa 6d 17



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux