I've got a system that authenticates and authorizes against m$ active directory. Everything was working fine with authnz_ldap until the admins decided that they needed to add a subgroup to one of the groups I use (and expect me to find people in it).
I did a build today from svn of the 2.3-HEAD to play around with the new subgroup stuff. Got it all configured but I'm having some problems that I believe may be a bug. Don't see anything in asf bugzilla, but figured I'd bounce it here first .. My login (jdausilio) is a member of a group (objectclass=group) named foo. The group foo is a member of another group called bar. Apache is configured to require membership in group bar, with subgroups included: AuthType basic AuthBasicProvider ldap AuthName "bar group required" AuthLDAPBindDN "CN=someCN,OU=someOU,OU=IT,OU=AD_Users,DC=AD,DC=XXX,DC=com" AuthLDAPBindPassword aPassWord AuthLDAPGroupAttribute "member" AuthLDAPSubGroupClass "group" AuthLDAPSubGroupAttribute "member" AuthLDAPMaxSubGroupDepth 10 AuthLDAPURL "ldap://ad.xxx.com:3268/DC=AD,DC=XXX,DC=com?sAMAccountName??(&(objectCategory=person)(objectClass=user))" Require ldap-group CN=bar,OU=Applications,OU=Resources,OU=Groups,DC=AD,DC=XXX,DC=com The log (level=debug) appears to say that I've been authenticated *and* authorized! (sorry about the wrapping) mod_authnz_ldap.c(375): [client 10.5.131.52] [31275] auth_ldap authenticate: using URL ldap://ad.xxx.com:3268/DC=AD,DC=XXX,DC=com?sAMAccountName??(&(objectCategory=person)(objectClass=user)) mod_authnz_ldap.c(472): [client 10.5.131.52] [31275] auth_ldap authenticate: accepting jdausilio mod_authnz_ldap.c(741): [client 10.5.131.52] [31275] auth_ldap authorize: require group: testing for group membership in "CN=bar,OU=Applications,OU=Resources,OU=Groups,DC=AD,DC=XXX,DC=com" mod_authnz_ldap.c(747): [client 10.5.131.52] [31275] auth_ldap authorize: require group: testing for member: CN=D'Ausilio\\, John,OU=eDevlopment,OU=IT,OU=AD_Users,DC=AD,DC=XXX,DC=com (CN=bar,OU=Applications,OU=Resources,OU=Groups,DC=AD,DC=XXX,DC=com) mod_authnz_ldap.c(763): [client 10.5.131.52] [31275] auth_ldap authorise: require group "CN=bar,OU=Applications,OU=Resources,OU=Groups,DC=AD,DC=XXX,DC=com": failed [Comparison false (cached)][5 - Compare False], checking sub-groups util_ldap.c(1241): [client 10.5.131.52] [31275] util_ldap: Making local copy of SGL for group (CN=bar,OU=Applications,OU=Resources,OU=Groups,DC=AD,DC=XXX,DC=com)(objectClass=group) util_ldap.c(1378): [client 10.5.131.52] [31275] util_ldap: Found user jdausilio in a subgroup (CN=foo,OU=Distribution Lists,DC=AD,DC=XXX,DC=com) at level 1 of 10. mod_authnz_ldap.c(774): [client 10.5.131.52] [31275] auth_ldap authorise: require group (sub-group): authorisation successful (attribute member) [Comparison true (cached)][6 - Compare True] [client 10.5.131.52] user jdausilio: authorization failure for "/index.html": It appears to me that it should be letting me in, but it's not. Before filing a bug .. is this all sane? jd
