DO NOT REPLY [Bug 47676] New: mod_authnz_ldap successful authorization passed through to mod_authz_groupfile

bugzilla Tue, 11 Aug 2009 08:57:50 -0700

https://issues.apache.org/bugzilla/show_bug.cgi?id=47676


           Summary: mod_authnz_ldap successful authorization passed
                    through to mod_authz_groupfile
           Product: Apache httpd-2
           Version: 2.2.12
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_authz_ldap
        AssignedTo: [email protected]
        ReportedBy: [email protected]


--- Comment #0 from Holger Dippel <[email protected]> 2009-08-11 
08:57:22 PDT ---
I am attempting to use a combination of CAS, LDAP, and local group files for
authentication and authorization.

mod_auth_cas (from JSIG) is loaded dynamically, mod_ldap, mod_authnz_ldap,
mod_authz_groupfile are compiled into our custom build of Apache.

The .htaccess file looks like this:

AuthType CAS
AuthName "Auth Test"
AuthGroupFile /path/to/groupfile/.groups
AuthLDAPUrl ldap://...?uid?sub
AuthzLDAPAuthoritative off
Require ldap-user userone
Require group testing

The .groups file looks like this:

testing: usertwo

CAS authentication is successful for both users, but userone is denied access
with a 401 Authorization Required. The error log says:

"Authorization of user userone to access ... failed, reason: user doesn't
appear in group file (/path/to/groupfile/.groups)"

usertwo is granted access without any problems based on the group file
authorization.

I've tried adding filters to the AuthLDAPUrl directive, and different Require
ldap-... directives, with and with out a Satisfy Any, but this behavior is
consistently the same.

The mod_authnz_ldap documentation seems to indicate under the
AuthzLDAPAuthoritative directive that authorization is only passed to a
lower-level module (mod_authz_groupfile in this case) if it fails with LDAP.

The actual behavior is that it is always passed on.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

DO NOT REPLY [Bug 47676] New: mod_authnz_ldap successful authorization passed through to mod_authz_groupfile

Reply via email to