RE: group authorization via LDAP

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm able to do LDAP based group authorization when specify the group
info as a filter in the LDAP URL but I'd like to configure a more
generic LDAP string in the apache config and allow users to control
access by group membership using .htaccess files.  I'm able to
authenticate based on userid/password but can seem to get the config
quite right to authorize based on group membership.  

These memberships are in the memberOf attribute on User records  In the
LDAP tree, users are in OU=Company Users, groups are in OU=GroupStuff
and OU=Standard under OU=Company Groups.

The log files complain that an attribute can't be found for the group
value specified.  Any ideas?


My ldap config looks like this:
AuthName "Active Directory"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPBindDN "CN=mybinduser,OU=Generics,OU=Company
Users,DC=dev,DC=company,DC=com"
AuthLDAPBindPassword secret
AuthLDAPRemoteUserAttribute cn

AuthLDAPUrl "ldap://dev.company.com:389/OU=Company
Users,DC=dev,DC=company,DC=com?cn?sub?"
AuthzLDAPAuthoritative on
AuthLDAPGroupAttribute memberOf

.htaccess file looks like this:
require valid-user
require ldap-group CN=mygroup,OU=GroupStuff,OU=Company
Groups,DC=dev,DC=company,DC=com


Logs look like this:
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(875): [6756]
auth_ldap url parse: `ldap://dev.company.com:389/OU=Company
Users,DC=dev,DC=company,DC=com?cn?sub?'
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(884): [6756]
auth_ldap url parse: Host: dev.company.com:389
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(886): [6756]
auth_ldap url parse: Port: 389
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(888): [6756]
auth_ldap url parse: DN: OU= Company Users,DC=dev,DC=company,DC=com
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(890): [6756]
auth_ldap url parse: attrib: cn
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(892): [6756]
auth_ldap url parse: scope: subtree
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(897): [6756]
auth_ldap url parse: filter: (null)
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(977): LDAP:
auth_ldap not using SSL connections
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(377): [client
64.102.41.173] [6756] auth_ldap authenticate: using URL
ldap://dev.company.com:389/OU= Company
Users,DC=dev,DC=company,DC=com?cn?sub?
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(474): [client
64.102.41.173] [6756] auth_ldap authenticate: accepting trice
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(715): [client
64.102.41.173] [6756] auth_ldap authorise: require group: testing for
group membership in "CN=mygroup,OU=GroupStuff,OU=Company
Groups,DC=dev,DC=company,DC=com"
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(721): [client
64.102.41.173] [6756] auth_ldap authorise: require group: testing for
memberOf: CN=trice,OU=Employees,OU=Company
Users,DC=dev,DC=company,DC=com (CN=mygroup,OU=GroupStuff,OU=Company
Groups,DC=dev,DC=company,DC=com)
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(737): [client
64.102.41.173] [6756] auth_ldap authorise: require group
"CN=mygroup,OU=GroupStuff,OU=Company Groups,DC=dev,DC=company,DC=com":
authorisation failed [Comparison no such attribute (adding to cache)][No
such attribute]
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(852): [client
64.102.41.173] [6756] auth_ldap authorise: authorisation denied

My LDAP entry (using the URL above) looks like this:
dn:CN=trice,OU=Employees,OU=Company Users,DC=dev,DC=company,DC=com

               objectClass: top
                            person
                            organizationalPerson
                            user
                        cn: trice
<you don't care what my address, mailbox number, etc. is so ... snip>
                  memberOf: CN=mygroup,OU=GroupStuff,OU=Company
Groups,DC=dev,DC=company,DC=com
                            CN=admins,OU=Standard,OU=Company
Groups,DC=dev,DC= company,DC=com
                department: 8675309
                   company: Company, Inc.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux