https://issues.apache.org/bugzilla/show_bug.cgi?id=46978
Summary: mod_authz_LDAP displays page not found when used with
mod_auth_kerb
Product: Apache httpd-2
Version: 2.2.11
Platform: PC
URL: http://private
OS/Version: FreeBSD
Status: NEW
Severity: normal
Priority: P2
Component: mod_authz_ldap
AssignedTo: [email protected]
ReportedBy: [email protected]
If using mod_auth_kerb for authentication and mod_authz_ldap for authorization,
a page not found will be displayed if you are authenticated with mod_auth_kerb
but denied access with mod_authz_ldap.
httpd.conf
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms DOMAIN.COM
KrbAuthoritative on
Krb5KeyTab /usr/local/etc/apache22/keytab
AuthLDAPBindDN "[email protected]"
AuthLDAPBindPassword "password"
AuthLDAPUrl
ldap://ADserver:3268/dc=domain,dc=com?userPrincipalName?sub?(objectClass=*)
require ldap-group cn=group,OU=Groups,DC=domain,DC=com
error log
[Mon Apr 06 13:27:33 2009] [debug] src/mod_auth_kerb.c(1628): [client 1.2.3.4]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Apr 06 13:27:41 2009] [debug] src/mod_auth_kerb.c(1628): [client 1.2.3.4]
kerb_authenticate_user entered with user (NULL) and auth_type Kerberos
[Mon Apr 06 13:27:41 2009] [debug] src/mod_auth_kerb.c(1240): [client 1.2.3.4]
Acquiring creds for [email protected]
[Mon Apr 06 13:27:41 2009] [debug] src/mod_auth_kerb.c(1385): [client 1.2.3.4]
Verifying client data using KRB5 GSS-API with our SPNEGO lib
[Mon Apr 06 13:27:41 2009] [debug] src/mod_auth_kerb.c(1401): [client 1.2.3.4]
Client didn't delegate us their credential
[Mon Apr 06 13:27:41 2009] [debug] src/mod_auth_kerb.c(1420): [client 1.2.3.4]
GSS-API token of length 129 bytes will be sent back
[Mon Apr 06 13:27:41 2009] [debug] mod_authnz_ldap.c(582): [client 1.2.3.4]
ldap authorize: Creating LDAP req structure
[Mon Apr 06 13:27:41 2009] [debug] mod_authnz_ldap.c(715): [client 1.2.3.4]
[77101] auth_ldap authorise: require group: testing for group membership in
"cn=group,OU=Groups,DC=domain,DC=com"
[Mon Apr 06 13:27:41 2009] [debug] mod_authnz_ldap.c(721): [client 1.2.3.4]
[77101] auth_ldap authorise: require group: testing for member:
CN=user,OU=Accounts,DC=domain,DC=com (cn=group,OU=Groups,DC=domain,DC=com)
[Mon Apr 06 13:27:41 2009] [debug] mod_authnz_ldap.c(737): [client 1.2.3.4]
[77101] auth_ldap authorise: require group
"cn=group,OU=Groups,DC=domain,DC=com": authorisation failed [Comparison false
(adding to cache)][Compare False]
[Mon Apr 06 13:27:41 2009] [debug] mod_authnz_ldap.c(721): [client 1.2.3.4]
[77101] auth_ldap authorise: require group: testing for uniquemember:
CN=user,OU=Accounts,DC=domain,DC=com (cn=group,OU=Groups,DC=domain,DC=com)
[Mon Apr 06 13:27:41 2009] [debug] mod_authnz_ldap.c(737): [client 1.2.3.4]
[77101] auth_ldap authorise: require group
"cn=group,OU=Groups,DC=domain,DC=com": authorisation failed [Comparison no such
attribute (adding to cache)][No such attribute]
[Mon Apr 06 13:27:41 2009] [debug] mod_authnz_ldap.c(852): [client 1.2.3.4]
[77101] auth_ldap authorise: authorisation denied
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
