Here's a documentation example for configuring against a unix style ldap 
directory such as IPA, Apache's defaults seem to favor AD style schema.

https://www.linux.com/news/apache-authentication-and-authorization-using-ldap

Order deny,allow
Deny from All
AuthName "Company.com Intranet"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPUrl ldap://ldap.company.com/ou=People,dc=company,dc=com?uid
AuthLDAPGroupAttribute memberUid  # This one is important
AuthLDAPGroupAttributeIsDN off # and this
Require ldap-group cn=infosys,ou=Group,dc=company,dc=com # and this
Require ldap-attribute gidNumber=420 # FreeIPA uses private primary groups, so 
this can be omitted.
Satisfy any # Can be omitted too


-----Original Message-----
From: Sebastian Kösters [mailto:skoest...@gmx.de] 
Sent: maandag 22 mei 2017 16:36
To: Hummelink, Wouter; free...@0xc0dedbad.com; 
freeipa-users@lists.fedorahosted.org
Subject: Re: [Freeipa-users] Re: freeipa ldap + htaccess question

so, like this?

AuthBasicProvider ldap
AuthLDAPURL "ldaps://ipa01.hostname.de:636 
ipa02.hostname.de:636/cn=users,cn=accounts,dc=domain,dc=de?member"
require ldap-group webtest

does not work for me?

"user sebastian not found".

Here you are able to see that i am a member of the group:

dn: cn=webtest,cn=groups,cn=compat,dc=domain,dc=de
gidNumber: 101010
memberUid: sebastian

i also tried using the above dn.

BR and thanks!




On 22.05.2017 16:23, wouter.hummel...@kpn.com wrote:
> Use Require ldap-group <groupname>
> 
> Apache's ldap implementation supports looking up group membership. 
> 
> The attribute on the group is member
> 
> 
> 
> Verzonden vanaf mijn Samsung-apparaat
> 
> 
> -------- Oorspronkelijk bericht --------
> Van: Sebastian Kösters <skoest...@gmx.de>
> Datum: 22-05-17 16:11 (GMT+01:00)
> Aan: Peter Fern <free...@0xc0dedbad.com>, 
> freeipa-users@lists.fedorahosted.org
> Onderwerp: [Freeipa-users] Re: freeipa ldap + htaccess question
> 
> Hi,
> 
> i also already tried this :) ...also with the groups DN (which i found 
> via ldapsearch).
> 
> Sadly it did not help.
> 
> BR
> 
> On 22.05.2017 16:05, Peter Fern wrote:
>> The gidNumber attribute is just the primary group.  You won't see any 
>> supplementary groups there, just like /etc/passwd.  Use memberOf with 
>> the group's DN or something for supplimentary groups.
>> 
>> If you want to see what the data looks like in the directory, just 
>> use ldapsearch - this is all standard LDAP stuff, you just need to 
>> understand the schemas that are used.
>> 
>> On 22/05/17 23:19, Sebastian Kösters wrote:
>>> Hi all!
>>>
>>> i have a question about the use of LDAP with .htaccess in freeIPA.
>>>
>>> i am using freeIPA (V. 4.4.0-14 with CentOS 7). I now wanted to also 
>>> use .htaccess with LDAP.
>>>
>>> My first try was this:
>>>
>>> ---
>>>
>>> Order allow,deny
>>> Allow from all
>>> AuthName "test"
>>> AuthType Basic
>>> AuthBasicProvider ldap
>>> AuthLDAPURL "ldaps://ipa01.hostname.de:636 
>>> ipa02.hostname.de:636/cn=users,cn=accounts,dc=domain,dc=de?uid"
>>> Require valid-user
>>>
>>> ---
>>>
>>> This works perfectly fine for users i created in the freeIPA Webinterface.
>>>
>>> I now have to make some changes. Some Users should be able to login 
>>> on the Website that uses the .htaccess and some should not be able to login.
>>>
>>> So i decided to create a group and add all users, which should be 
>>> allowd to login via .htaccess.
>>>
>>> So my first try was this:
>>>
>>> ---
>>>
>>> [...]
>>> Require ldap-attribute gidNumber=101010 [...]
>>>
>>> ---
>>>
>>> 101010 is the gid of my newly created group (webtest). That did not 
>>> work. If i use the gid of the "main" group of the users, its working 
>>> fine (the user is definitely part of the new group).
>>>
>>> I also tried several other ways if found with the help of google, to 
>>> only allow users which are member of the group to have access, but 
>>> every attempt failed.
>>>
>>> Maybe one of you guys is able to help me?!
>>>
>>> Thank you and best regards
>>> Sebastian
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to 
>>> freeipa-users-le...@lists.fedorahosted.org
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to 
>> freeipa-users-le...@lists.fedorahosted.org
>> 
> 
> --
> *!!!!!!!!!!GMX GMX GMX GMX GMX!!!!!!!!!!* 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to 
> freeipa-users-le...@lists.fedorahosted.org
> 
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to 
> freeipa-users-le...@lists.fedorahosted.org
> 

--
*!!!!!!!!!!GMX GMX GMX GMX GMX!!!!!!!!!!*
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to