On 8/3/07, Paul Ortman <[EMAIL PROTECTED]> wrote:
> Well, both mod_auth_ldap and mod_auth_cas have their own snippets of
> apache config stored in /etc/apache2/modules/ as
> 40_mod_auth_ldap.conf and 91_mod_auth_cas.conf respectively. Their
> loaded into the global httpd.conf via an "include
> /etc/apache2/modules.d/*.conf" directive.
Yes, that ought to include them in the proper order.
> That makes a certain amount of sense. Unfortunately, even after I
> turn on full apache debugging, I can't seem to see that anything is
> going wrong. After the browser is bounced to the login CAS server
> and back to the client server, the only thing that shows up in the
> apache error log with "log level" set to debugging is:
>
> [debug] util_ldap.c(1690): Initialisation of global mutex
> /tmp/fileXYo0iH in child process 26932 successful.
>
> That seems to indicate that apache is at least starting up
> mod_auth_ldap correctly for a new ldap connection, presumably to check
> with the ldap server.
This is probably a dumb question, but on Red Hat at least, the log
level must be set to debug for both SSL and non-SSL hosts, and there
are separate /var/log/httpd/error_log and /var/log/httpd/ssl_error_log
files. If Gentoo is the same, did you check both places?
Have you tried running httpd with the -X option, so it only spawns one
worker and stays in the foreground? That makes it a lot easier to
debug with tools like gdb and strace. And a tool like Wireshark or
tcpdump could let you confirm that it's checking the LDAP server for
authz.
Other than that, I'm not sure what to tell you, unless there's some
quirk of Apache 2.0.46/2.0.52 versus 2.0.58 or some quirk resulting
from the various patches that Red Hat applies to its httpd.
> Is there any chance I could take a look at your apache directives
> for the protected directories or hosts?
In conf/httpd.conf:
<Location />
Include "conf.d/ldap-auth.inc"
AuthType Cas
AuthName "Network Monitor"
require group cn=netmon,ou=Group,dc=jbc,dc=edu
</Location>
In conf.d/ldap-auth.inc:
AuthLDAPUrl "ldaps://ldap1.jbc.edu ldap2.jbc.edu/dc=jbc,dc=edu"
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Top-level LDAP and CAS directives, just for completeness:
LDAPTrustedCA /etc/pki/tls/certs/ca-jbc.crt
LDAPTrustedCAType BASE64_FILE
CASCookiePath /var/run/mod_auth_cas/
CASCertificatePath /etc/pki/tls/certs/
CASLoginURL https://login.jbc.edu:8443/cas/login
CASValidateURL https://login.jbc.edu:8443/cas/serviceValidate
CASProxyValidateURL https://login.jbc.edu:8443/cas/proxyValidate
Effectively identical to yours, as far as I can tell. Sorry I
couldn't be more help.
Josh Kelley
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
