One other wrinkle to add to this. I can get "require ldap-group" to work, but only if all the Auth config lines are in the .htaccess file. If it's in the httpd.conf file and only require lines are in the .htaccess file require ldap-group produces the errors below (though "require valid-user" and "require ldap-filter" work fine either way). -Tony > -----Original Message----- > From: Tony Rice (trice) > Sent: Friday, October 02, 2009 1:52 PM > To: users@xxxxxxxxxxxxxxxx > Subject: RE: group authorization via LDAP > > I'm able to do LDAP based group authorization when specify the group > info as a filter in the LDAP URL but I'd like to configure a more > generic LDAP string in the apache config and allow users to control > access by group membership using .htaccess files. I'm able to > authenticate based on userid/password but can seem to get the config > quite right to authorize based on group membership. > > These memberships are in the memberOf attribute on User records In the > LDAP tree, users are in OU=Company Users, groups are in OU=GroupStuff > and OU=Standard under OU=Company Groups. > > The log files complain that an attribute can't be found for the group > value specified. Any ideas? > > > My ldap config looks like this: > AuthName "Active Directory" > AuthType Basic > AuthBasicProvider ldap > AuthLDAPBindDN "CN=mybinduser,OU=Generics,OU=Company > Users,DC=dev,DC=company,DC=com" > AuthLDAPBindPassword secret > AuthLDAPRemoteUserAttribute cn > > AuthLDAPUrl "ldap://dev.company.com:389/OU=Company > Users,DC=dev,DC=company,DC=com?cn?sub?" > AuthzLDAPAuthoritative on > AuthLDAPGroupAttribute memberOf > > .htaccess file looks like this: > require valid-user > require ldap-group CN=mygroup,OU=GroupStuff,OU=Company > Groups,DC=dev,DC=company,DC=com > > > Logs look like this: > [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(875): [6756] > auth_ldap url parse: `ldap://dev.company.com:389/OU=Company > Users,DC=dev,DC=company,DC=com?cn?sub?' > [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(884): [6756] > auth_ldap url parse: Host: dev.company.com:389 > [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(886): [6756] > auth_ldap url parse: Port: 389 > [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(888): [6756] > auth_ldap url parse: DN: OU= Company Users,DC=dev,DC=company,DC=com > [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(890): [6756] > auth_ldap url parse: attrib: cn > [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(892): [6756] > auth_ldap url parse: scope: subtree > [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(897): [6756] > auth_ldap url parse: filter: (null) > [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(977): LDAP: > auth_ldap not using SSL connections > [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(377): [client > 64.102.41.173] [6756] auth_ldap authenticate: using URL > ldap://dev.company.com:389/OU= Company > Users,DC=dev,DC=company,DC=com?cn?sub? > [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(474): [client > 64.102.41.173] [6756] auth_ldap authenticate: accepting trice > [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(715): [client > 64.102.41.173] [6756] auth_ldap authorise: require group: testing for > group membership in "CN=mygroup,OU=GroupStuff,OU=Company > Groups,DC=dev,DC=company,DC=com" > [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(721): [client > 64.102.41.173] [6756] auth_ldap authorise: require group: testing for > memberOf: CN=trice,OU=Employees,OU=Company > Users,DC=dev,DC=company,DC=com (CN=mygroup,OU=GroupStuff,OU=Company > Groups,DC=dev,DC=company,DC=com) > [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(737): [client > 64.102.41.173] [6756] auth_ldap authorise: require group > "CN=mygroup,OU=GroupStuff,OU=Company Groups,DC=dev,DC=company,DC=com": > authorisation failed [Comparison no such attribute (adding to > cache)][No > such attribute] > [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(852): [client > 64.102.41.173] [6756] auth_ldap authorise: authorisation denied > > My LDAP entry (using the URL above) looks like this: > dn:CN=trice,OU=Employees,OU=Company Users,DC=dev,DC=company,DC=com > > objectClass: top > person > organizationalPerson > user > cn: trice > <you don't care what my address, mailbox number, etc. is so ... snip> > memberOf: CN=mygroup,OU=GroupStuff,OU=Company > Groups,DC=dev,DC=company,DC=com > CN=admins,OU=Standard,OU=Company > Groups,DC=dev,DC= company,DC=com > department: 8675309 > company: Company, Inc. > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server > Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|