On 8/3/07, Paul Ortman <[EMAIL PROTECTED]> wrote: > I have an existing application (cacti) that currently is using > mod_auth_ldap for authentication (authn) and authorization (authz) > to limit access to a selected LDAP group. This is a fairly > common usage scenario -- we need authz in addition to authn for > pre-build web applications that don't contain their own authz. So, > I decided to fiddle a bit, but things aren't working too well, and I > thought I'd ask to see if anybody else has made this work, or if it > is known broken or whatever.
We're currently running the setup you describe with a mix of RHEL/CentOS 3 (httpd 2.0.46), 4 (httpd 2.0.52), and 5 (httpd 2.2.3). We've only been running it for a day or two, but everything appears to be working so far. The biggest problem I ran into was that mod_auth_ldap apparently must be loaded before mod_auth_cas. This makes mod_auth_ldap run first so that it can properly store the username during the authn phase (even though it fails to authenticate the user) so that it can then check for authorization on that username during the authz phase. Which module do you load first? If mod_auth_cas is listed before mod_auth_ldap, then mod_auth_cas authenticates the user, so mod_auth_ldap never initializes its username info. Depending on your version of httpd, it may then cause httpd to segfault from trying to use uninitialized user info during the authz phase. Is it possible that what you're seeing is a segfaulting httpd rather than a hanging browser? >From what I gather, Apache 2.2 is supposed to more cleanly separate authn from authz, so it might be easier to make it work, but I doubt you want to upgrade right now. Josh Kelley _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
