Hello,
Please forgive me if this is the wrong place to post questions about mod_authnz_ldap, but I've been struggling with this particularly issue for a few days now ...
I have a (working) openldap server which contains a number of user accounts. see extract below :
dn: uid=pmiles,ou=people,dc=paymo,dc=com
givenName: Paul
sn: Miles
mail: paul.miles@xxxxxxxxx
cn: Paul Miles
uid: pmiles
userPassword:: Q0hebmczTTM=
uidNumber: 1011
gidNumber: 10000
homeDirectory: /dev/null
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
structuralObjectClass: inetOrgPerson
entryUUID: 131b7288-e55a-102d-8cc6-3d5a9f4d1623
creatorsName: cn=Manager,dc=paymo,dc=com
createTimestamp: 20090604134805Z
entryCSN: 20090604134805Z#000000#00#000000
modifiersName: cn=Manager,dc=paymo,dc=com
modifyTimestamp: 20090604134805Z
dn: cn=sys_admins,ou=group,dc=paymo,dc=com
cn: sys_admins
gidNumber: 1000
objectClass: posixGroup
objectClass: top
structuralObjectClass: posixGroup
entryUUID: dfdbed90-e567-102d-8cc8-3d5a9f4d1623
creatorsName: cn=Manager,dc=paymo,dc=com
createTimestamp: 20090604152652Z
memberUid: paul.miles@xxxxxxxxx
entryCSN: 20090609120825Z#000000#00#000000
modifiersName: cn=Manager,dc=paymo,dc=com
modifyTimestamp: 20090609120825Z
This is my apache virtual host config :
<Location /en>
AuthType Basic
AuthName "TEST"
AuthLDAPURL ldap://web1.paymo.net:389/ou=People,dc=paymo,dc=com?mail
# require valid-user
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPGroupAttributeIsDN off
require ldap-group cn=sysadmins,dc=paymo,dc=com
</Location>
If I uncomment 'require valid-user' and comment 'require ldap-group' then I can authenticate absolutely fine.
However, if I comment out the 'require valid-user' and uncomment 'require ldap-group', then it never manages to authenticate.
I see these errors in the apache error logs :
[Tue Jun 09 17:52:33 2009] [debug] mod_authnz_ldap.c(373): [client 192.168.0.9] [24341] auth_ldap authenticate: using URL ldap://web1.paymo.net:389/ou=People,dc=paymo,dc=com?mail, referer: http://devwww.paymo.com/
[Tue Jun 09 17:52:33 2009] [debug] mod_authnz_ldap.c(454): [client 192.168.0.9] [24341] auth_ldap authenticate: accepting paul.miles@xxxxxxxxx, referer: http://devwww.paymo.com/
[Tue Jun 09 17:52:33 2009] [debug] mod_authnz_ldap.c(821): [client 192.168.0.9] [24341] auth_ldap authorise: declining to authorise, referer: http://devwww.paymo.com/
[Tue Jun 09 17:52:33 2009] [error] [client 192.168.0.9] access to /en/company.html failed, reason: require directives present and no Authoritative handler., referer: http://devwww.paymo.com/
[Tue Jun 09 17:52:36 2009] [debug] mod_authnz_ldap.c(373): [client 192.168.0.9] [24342] auth_ldap authenticate: using URL ldap://web1.paymo.net:389/ou=People,dc=paymo,dc=com?mail, referer: http://devwww.paymo.com/
[Tue Jun 09 17:52:36 2009] [debug] mod_authnz_ldap.c(454): [client 192.168.0.9] [24342] auth_ldap authenticate: accepting paul.miles@xxxxxxxxx, referer: http://devwww.paymo.com/
[Tue Jun 09 17:52:36 2009] [debug] mod_authnz_ldap.c(821): [client 192.168.0.9] [24342] auth_ldap authorise: declining to authorise, referer: http://devwww.paymo.com/
[Tue Jun 09 17:52:36 2009] [error] [client 192.168.0.9] access to /en/company.html failed, reason: require directives present and no Authoritative handler., referer: http://devwww.paymo.com/
I'd welcome any advice/suggestions on this.
Many thanks for your time.
Paul
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|