Can mod_authz_ldap be configured to not handle the authentication phase? I found the following doc about m-a-l and Cosign (similar to CAS) which suggests a patch is needed: http://www.umich.edu/~umweb/downloads/mod_authz_ldap-NOTES.txt
HTH, -Matt On Mon, Jun 2, 2008 at 10:24 AM, Chris <[EMAIL PROTECTED]> wrote: > Hi all, > > I have some trouble with a CAS + LDAP config. Here are some info of my > config (2 servers, one dedicated for CAS + 1 web server hosting websites): > > - CAS Server configuration: > - CentOS 5 > - apache-tomcat-5.5.25 > - cas-server-3.1.1 > - httpd 2.2.3-11.el5.centos (reverse proxy httpd -> tomcat) > - CAS configuration: 3 LDAP authenticationHandlers using 3 MS Active > Directories (Europe, America, Asia) > > - Web server configuration (hosting websites): > - CentOS 5 > - httpd 2.2.3-11.el5_1.centos.3 > - mod_authz_ldap-0.26-8.el5 > - mod_auth_cas-1.0.7 (manually added thru /etc/httpd/conf.d/cas.conf > config file with: > >>> > LoadModule auth_cas_module modules/mod_auth_cas.so > <IfModule mod_auth_cas.c> > CASDebug On > CASCookiePath /tmp/ > CASLoginURL https://cas-rd.company.com/cas/ > CASValidateURL https://cas-rd.company.com/cas/serviceValidate > CASCertificatePath /etc/pki/tls/certs/casserver.crt > CASValidateServer on > </IfModule> > <<< > > Some tests (.htaccess): > > - mod_auth_cas alone: > AuthType CAS > AuthName "CAS" > require valid-user > > This works well. I can login thru CAS. > > - mod_authz_ldap alone: > AuthName "TestProtLDAPz AD" > AuthType Basic > AuthzLDAPMethod ldap > AuthzLDAPServer adserver.eu.company.com:389 > AuthzLDAPBindDN [EMAIL PROTECTED] > AuthzLDAPBindPassword ******** > AuthzLDAPSetGroupAuth ldapdn > AuthzLDAPUserKey samaccountname > AuthzLDAPUserBase "OU=Subsidiaries,DC=eu,DC=company,DC=com" > AuthzLDAPUserScope subtree > require group > "CN=DL_RD.Soft.France.Employee,OU=Subsidiaries,DC=eu,DC=company,DC=com" > > This works well. I can login thru LDAP. > > - mod_auth_cas (authentication) + mod_authz_ldap (authorization) > AuthType CAS > AuthName "CAS Authentication AD" > AuthzLDAPMethod ldap > AuthzLDAPServer adserver.eu.company.com:389 > AuthzLDAPBindDN [EMAIL PROTECTED] > AuthzLDAPBindPassword ******** > AuthzLDAPUserKey samaccountname > AuthzLDAPUserBase "OU=Subsidiaries,DC=eu,DC=company,DC=com" > AuthzLDAPUserScope subtree > AuthzLDAPSetGroupAuth ldapdn > require group > "CN=DL_RD.Soft.France.Employee,OU=Subsidiaries,DC=eu,DC=company,DC=com" > > When I try to access the website http://www.company.com/toto.txt , I > am first redirected to CAS where I login (no error), then back to the > website with: > > "Forbidden > You don't have permission to access /toto.txt on this server." > > CAS log shows: > "2008-06-02 16:48:06,505 INFO > [org.jasig.cas.CentralAuthenticationServiceImpl] - Granted service > ticket [ST-23-eKtUCGXPZPsA7EV6aTHW] for service > [http://www.company.com/toto.txt] for user [chris]" > > Apache log shows: > "[Mon Jun 02 16:16:40 2008] [error] [client 172.16.48.21] [27479] no > password?" > > > Does anyone have had a similar behavior ? Any idea why this does not work? > > Best, > > Chris > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas > -- [EMAIL PROTECTED] Key ID:D6EEC5B5 _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
