I'm trying to set up LDAP authentication with Apache, and I keep running into issues with syntax. I've got logging set to debug, which has helped somewhat.
Here's the code for the directory I'm restricting access to in httpd.conf: <Directory /home/user/test.watkins.edu/html> AllowOverride None Order deny,allow Deny from All AuthName "Watkins Test" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPUrl "ldap://ldap.watkins.edu/ou=people,dc=watkins,dc=edu?uid"; AuthLDAPGroupAttributeIsDN off AuthLDAPGroupAttribute member Require ldap-group cn=test_me,ou=group,dc=watkins,dc=edu Require ldap-attribute gidNumber=1029 Satisfy any </Directory> The idea is that you have to be in the "test_me" group in order to authenticate. I've added myself to that group, and when I try to log in, my user name and password are accepted, but the authentication fails during group membership lookup. Here's an example from error.log: [debug] mod_authnz_ldap.c(390): [client 192.168.1.196] [16822] auth_ldap authenticate: using URL ldap:// ldap.watkins.edu/ou=people,dc=watkins,dc=edu?uid [debug] mod_authnz_ldap.c(489): [client 192.168.1.196] [16822] auth_ldap authenticate: accepting curt [debug] mod_authnz_ldap.c(816): [client 192.168.1.196] [16822] auth_ldap authorise: require group: testing for group membership in "cn=test_me,ou=group,dc=watkins,dc=edu" [debug] mod_authnz_ldap.c(822): [client 192.168.1.196] [16822] auth_ldap authorise: require group: testing for member: curt (cn=test_me,ou=group,dc=watkins,dc=edu) [debug] mod_authnz_ldap.c(838): [client 192.168.1.196] [16822] auth_ldap authorise: require group "cn=test_me,ou=group,dc=watkins,dc=edu": authorisation failed [Comparison complete]*[Invalid syntax]* [debug] mod_authnz_ldap.c(976): [client 192.168.1.196] [16822] auth_ldap authorise: authorisation denied I've taken the timestamp away and added a line to make the log entries a little more readable. The original examples I've seen for the directory entry specify "memberUid" - but that's not how our LDAP is set up. I get a different error if I try that. The group number is correct, and even with a lot of twiddling, what I see is the "Invalid syntax" error - and the authentication fails. I've verified that my user name is indeed a member of the "test_me" LDAP group. Any thoughts? There's little documentation that I've uncovered, and much of it is duplicated from other sites, apparently. Curt -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en
