Oh man, I had so many problems with ldap in Apache. It doesn't help that
there's at least 3 versions (if you include Apache 1) of it floating
about. I believe I never got that version you're using working correctly
as it requires a schema structure that neither AD nor our LDAP schema
used ( think it requires groups be listed in the user object or
something odd like that). I believe I ended up using a mod_perl version
of LDAP auth modified to work with our schema structure. Unfortunately,
I don't have access to the source anymore but the unmodified version is
out there somewhere.
On 06/02/2011 06:14 PM, Curt Lundgren wrote:
I'm trying to set up LDAP authentication with Apache, and I keep
running into issues with syntax. I've got logging set to debug, which
has helped somewhat.
Here's the code for the directory I'm restricting access to in httpd.conf:
<Directory /home/user/test.watkins.edu/html
<http://test.watkins.edu/html>>
AllowOverride None
Order deny,allow
Deny from All
AuthName "Watkins Test"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPUrl
"ldap://ldap.watkins.edu/ou=people,dc=watkins,dc=edu?uid
<http://ldap.watkins.edu/ou=people,dc=watkins,dc=edu?uid>"
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute member
Require ldap-group cn=test_me,ou=group,dc=watkins,dc=edu
Require ldap-attribute gidNumber=1029
Satisfy any
</Directory>
The idea is that you have to be in the "test_me" group in order to
authenticate. I've added myself to that group, and when I try to log
in, my user name and password are accepted, but the authentication
fails during group membership lookup. Here's an example from error.log:
[debug] mod_authnz_ldap.c(390): [client 192.168.1.196] [16822]
auth_ldap authenticate: using URL
ldap://ldap.watkins.edu/ou=people,dc=watkins,dc=edu?uid
<http://ldap.watkins.edu/ou=people,dc=watkins,dc=edu?uid>
[debug] mod_authnz_ldap.c(489): [client 192.168.1.196] [16822]
auth_ldap authenticate: accepting curt
[debug] mod_authnz_ldap.c(816): [client 192.168.1.196] [16822]
auth_ldap authorise: require group: testing for group membership in
"cn=test_me,ou=group,dc=watkins,dc=edu"
[debug] mod_authnz_ldap.c(822): [client 192.168.1.196] [16822]
auth_ldap authorise: require group: testing for member: curt
(cn=test_me,ou=group,dc=watkins,dc=edu)
[debug] mod_authnz_ldap.c(838): [client 192.168.1.196] [16822]
auth_ldap authorise: require group
"cn=test_me,ou=group,dc=watkins,dc=edu": authorisation failed
[Comparison complete]*[Invalid syntax]*
[debug] mod_authnz_ldap.c(976): [client 192.168.1.196] [16822]
auth_ldap authorise: authorisation denied
I've taken the timestamp away and added a line to make the log entries
a little more readable. The original examples I've seen for the
directory entry specify "memberUid" - but that's not how our LDAP is
set up. I get a different error if I try that. The group number is
correct, and even with a lot of twiddling, what I see is the "Invalid
syntax" error - and the authentication fails. I've verified that my
user name is indeed a member of the "test_me" LDAP group.
Any thoughts? There's little documentation that I've uncovered, and
much of it is duplicated from other sites, apparently.
Curt
--
You received this message because you are subscribed to the Google
Groups "NLUG" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nlug-talk?hl=en
--
You received this message because you are subscribed to the Google Groups
"NLUG" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/nlug-talk?hl=en
