----- "Sebastian Reitenbach" <sebastia@xxxxxxxxxxxxxxxxxxxx> wrote: > Hi, > > I have LDAP authentication working against openldap. But I have to > authenticate against an Lotus Domino Server. > > below the contents of my .htaccess file: Why, Oh, Why are you putting it in .htaccess? > AuthType Basic > AuthBasicProvider ldap > AuthName "LDAP" > #AuthLDAPURL "ldap://openldapserver:389/ou=people,dc=intern"; > AuthLDAPURL "ldap://dominoserver:389/?uid"; > AuthzLDAPAuthoritative on > #require valid-user > require ldap-user user > #require ldap-group cn=admin > #require ldap-attribute gidnumber=1011 > Satisfy any > > Order deny,allow > Deny from all > > When I comment the require ldap-user line, and uncomment the require > valid- > user line, then I can successfully log in with my credentials. > > When I try to restrict the login to a given user or group, then the > authentication does't work. > > > here it works using the openldap server: > ==> /var/log/apache2/error_log <== > [Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(982): [2013] > auth_ldap > url parse: `ldap://openldapserver:389/ou=people,dc=intern', Host: > openldapserver:389, Port: 389, DN: ou=people,dc=intern, attrib: > (null), scope: > base, filter: (null), connection mode: not using SSL > [Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(982): [2014] > auth_ldap > url parse: `ldap://openldapserver:389/ou=people,dc=intern', Host: > openldapserver:389, Port: 389, DN: ou=people,dc=intern, attrib: > (null), scope: > base, filter: (null), connection mode: not using SSL > [Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(379): [client > 127.0.0.1] > [2014] auth_ldap authenticate: using URL > ldap://openldapserver:389/ou=people,dc=intern > [Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(484): [client > 127.0.0.1] > [2014] auth_ldap authenticate: accepting user > [Thu Jan 06 14:02:21 2011] [debug] mod_authnz_ldap.c(659): [client > 127.0.0.1] > [2014] auth_ldap authorise: require user: authorisation successful > > > > here it doesn't work, using the domino server: > ==> /var/log/apache2/error_log <== > [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(982): [2015] > auth_ldap > url parse: `ldap://dominoserver:389/?uid', Host: dominoserver:389, > Port: 389, > DN: , attrib: uid, scope: base, filter: (null), connection mode: not > using SSL > [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(379): [client > 127.0.0.1] > [2015] auth_ldap authenticate: using URL ldap://dominoserver:389/?uid > [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(484): [client > 127.0.0.1] > [2015] auth_ldap authenticate: accepting user > [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(665): [client > 127.0.0.1] > [2015] auth_ldap authorise: require user: authorisation failed > [Comparison > complete][Insufficient access] > [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(685): [client > 127.0.0.1] > [2015] auth_ldap authorise: require user: authorisation failed > [Comparison > complete][Insufficient access] > [Thu Jan 06 14:04:28 2011] [debug] mod_authnz_ldap.c(874): [client > 127.0.0.1] > [2015] auth_ldap authorise: authorisation denied > > Well, it states about the insufficient access, but I wonder what kind > of > access migth be missing? > > I can run > ldapsearch -x -h dominoserver -b "" -D "CN=Test User,O=MyCompany" -W > > And I successfully get stuff back from the Domino Server, the Test > User has > uid=user. > However, what I noticed is I have to specify the empty baseDN -b "", > without > it, I don't get any search results back. I don't have to do it against > the > OpenLDAP server, don't know whether this could be the cause of my > problem? > > Sebastian > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server > Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx -- Igor GaliÄ Tel: +43 (0) 664 886 22 883 Mail: i.galic@xxxxxxxxxxxxxx URL: http://brainsware.org/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|