https://bz.apache.org/bugzilla/show_bug.cgi?id=59880
Alex Duzsardi <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #1 from Alex Duzsardi <[email protected]> --- For me it works like this #single attribute filter Require ldap-filter memberof=CN=Admins,CN=Users,DC=testing,DC=lan # two attributes Require ldap-filter &(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)([email protected]) Notice , there're no quotes and/or outer parentheses User 'admin' gets access based on the later filter , and user 'tester' which is a member of the 'Admins' group but doesn't have the mail attribute = [email protected] get's access denied [Wed Oct 19 16:11:39.029877 2016] [authz_core:debug] [pid 3159] mod_authz_core.c(809): [client 10.0.1.110:61615] AH01626: authorization result of Require ldap-filter &(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)([email protected]): denied (no authenticated user yet) [Wed Oct 19 16:11:39.029904 2016] [authz_core:debug] [pid 3159] mod_authz_core.c(809): [client 10.0.1.110:61615] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Wed Oct 19 16:11:46.279454 2016] [authz_core:debug] [pid 3160] mod_authz_core.c(809): [client 10.0.1.110:61619] AH01626: authorization result of Require ldap-filter &(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)([email protected]): denied (no authenticated user yet) [Wed Oct 19 16:11:46.279481 2016] [authz_core:debug] [pid 3160] mod_authz_core.c(809): [client 10.0.1.110:61619] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Wed Oct 19 16:11:46.279503 2016] [authnz_ldap:debug] [pid 3160] mod_authnz_ldap.c(501): [client 10.0.1.110:61619] AH01691: auth_ldap authenticate: using URL ldap://10.100.30.10/DC=testing,DC=lan?samaccountname?sub [Wed Oct 19 16:11:46.279807 2016] [ldap:debug] [pid 3160] util_ldap.c(372): AH01278: LDAP: Setting referrals to On. [Wed Oct 19 16:11:46.289145 2016] [authnz_ldap:debug] [pid 3160] mod_authnz_ldap.c(593): [client 10.0.1.110:61619] AH01697: auth_ldap authenticate: accepting admin [Wed Oct 19 16:11:46.289168 2016] [authnz_ldap:debug] [pid 3160] mod_authnz_ldap.c(1259): [client 10.0.1.110:61619] AH01743: auth_ldap authorize: checking filter &(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)([email protected]) [Wed Oct 19 16:11:46.300097 2016] [authnz_ldap:debug] [pid 3160] mod_authnz_ldap.c(1271): [client 10.0.1.110:61619] AH01744: auth_ldap authorize: checking dn match CN=admin,CN=Users,DC=testing,DC=lan [Wed Oct 19 16:11:46.300120 2016] [authnz_ldap:debug] [pid 3160] mod_authnz_ldap.c(1286): [client 10.0.1.110:61619] AH01745: auth_ldap authorize: require ldap-filter: authorization successful [Wed Oct 19 16:11:46.300125 2016] [authz_core:debug] [pid 3160] mod_authz_core.c(809): [client 10.0.1.110:61619] AH01626: authorization result of Require ldap-filter &(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)([email protected]): granted [Wed Oct 19 16:11:46.300127 2016] [authz_core:debug] [pid 3160] mod_authz_core.c(809): [client 10.0.1.110:61619] AH01626: authorization result of <RequireAny>: granted [Wed Oct 19 16:14:24.524105 2016] [authz_core:debug] [pid 3161] mod_authz_core.c(809): [client 10.0.1.110:61677] AH01626: authorization result of Require ldap-filter &(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)([email protected]): denied (no authenticated user yet) [Wed Oct 19 16:14:24.524133 2016] [authz_core:debug] [pid 3161] mod_authz_core.c(809): [client 10.0.1.110:61677] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Wed Oct 19 16:14:40.919074 2016] [authz_core:debug] [pid 3162] mod_authz_core.c(809): [client 10.0.1.110:61682] AH01626: authorization result of Require ldap-filter &(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)([email protected]): denied (no authenticated user yet) [Wed Oct 19 16:14:40.919163 2016] [authz_core:debug] [pid 3162] mod_authz_core.c(809): [client 10.0.1.110:61682] AH01626: authorization result of <RequireAny>: denied (no authenticated user yet) [Wed Oct 19 16:14:40.919197 2016] [authnz_ldap:debug] [pid 3162] mod_authnz_ldap.c(501): [client 10.0.1.110:61682] AH01691: auth_ldap authenticate: using URL ldap://10.100.30.10/DC=testing,DC=lan?samaccountname?sub [Wed Oct 19 16:14:40.919552 2016] [ldap:debug] [pid 3162] util_ldap.c(372): AH01278: LDAP: Setting referrals to On. [Wed Oct 19 16:14:40.931736 2016] [authnz_ldap:debug] [pid 3162] mod_authnz_ldap.c(593): [client 10.0.1.110:61682] AH01697: auth_ldap authenticate: accepting tester [Wed Oct 19 16:14:40.931773 2016] [authnz_ldap:debug] [pid 3162] mod_authnz_ldap.c(1259): [client 10.0.1.110:61682] AH01743: auth_ldap authorize: checking filter &(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)([email protected]) [Wed Oct 19 16:14:40.940934 2016] [authnz_ldap:debug] [pid 3162] mod_authnz_ldap.c(1301): [client 10.0.1.110:61682] AH01747: auth_ldap authorize: require ldap-filter: authorization failed [User not found][No such object] [Wed Oct 19 16:14:40.940961 2016] [authnz_ldap:debug] [pid 3162] mod_authnz_ldap.c(1309): [client 10.0.1.110:61682] AH01748: auth_ldap authorize filter: authorization denied for user tester to /ldap-status [Wed Oct 19 16:14:40.940967 2016] [authz_core:debug] [pid 3162] mod_authz_core.c(809): [client 10.0.1.110:61682] AH01626: authorization result of Require ldap-filter &(memberof=CN=Admins,CN=Users,DC=testing,DC=lan)([email protected]): denied [Wed Oct 19 16:14:40.940970 2016] [authz_core:debug] [pid 3162] mod_authz_core.c(809): [client 10.0.1.110:61682] AH01626: authorization result of <RequireAny>: denied [Wed Oct 19 16:14:40.940973 2016] [authz_core:error] [pid 3162] [client 10.0.1.110:61682] AH01631: user tester: authorization failure for "/ldap-status": -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
