Thanks Richard - for the moment, I've given up on the group membership approach. There are only a few users who need to authorize, and the authentication worked immediately. I don't care for the idea of having to modify httpd.conf to change the list of people, but I also don't expect to have to change the list often.
Curt On Fri, Jun 3, 2011 at 8:55 PM, Richard Thomas <[email protected]> wrote: > Oh man, I had so many problems with ldap in Apache. It doesn't help that > there's at least 3 versions (if you include Apache 1) of it floating about. > I believe I never got that version you're using working correctly as it > requires a schema structure that neither AD nor our LDAP schema used ( think > it requires groups be listed in the user object or something odd like that). > I believe I ended up using a mod_perl version of LDAP auth modified to work > with our schema structure. Unfortunately, I don't have access to the source > anymore but the unmodified version is out there somewhere. > > > On 06/02/2011 06:14 PM, Curt Lundgren wrote: > > I'm trying to set up LDAP authentication with Apache, and I keep running > into issues with syntax. I've got logging set to debug, which has helped > somewhat. > > Here's the code for the directory I'm restricting access to in httpd.conf: > > <Directory /home/user/test.watkins.edu/html> > AllowOverride None > Order deny,allow > Deny from All > AuthName "Watkins Test" > AuthType Basic > AuthBasicProvider ldap > AuthzLDAPAuthoritative on > AuthLDAPUrl "ldap://ldap.watkins.edu/ou=people,dc=watkins,dc=edu?uid"; > AuthLDAPGroupAttributeIsDN off > AuthLDAPGroupAttribute member > Require ldap-group cn=test_me,ou=group,dc=watkins,dc=edu > Require ldap-attribute gidNumber=1029 > Satisfy any > </Directory> > > The idea is that you have to be in the "test_me" group in order to > authenticate. I've added myself to that group, and when I try to log in, my > user name and password are accepted, but the authentication fails during > group membership lookup. Here's an example from error.log: > > [debug] mod_authnz_ldap.c(390): [client 192.168.1.196] [16822] auth_ldap > authenticate: using URL ldap:// > ldap.watkins.edu/ou=people,dc=watkins,dc=edu?uid > > [debug] mod_authnz_ldap.c(489): [client 192.168.1.196] [16822] auth_ldap > authenticate: accepting curt > > [debug] mod_authnz_ldap.c(816): [client 192.168.1.196] [16822] auth_ldap > authorise: require group: testing for group membership in > "cn=test_me,ou=group,dc=watkins,dc=edu" > > [debug] mod_authnz_ldap.c(822): [client 192.168.1.196] [16822] auth_ldap > authorise: require group: testing for member: curt > (cn=test_me,ou=group,dc=watkins,dc=edu) > > [debug] mod_authnz_ldap.c(838): [client 192.168.1.196] [16822] auth_ldap > authorise: require group "cn=test_me,ou=group,dc=watkins,dc=edu": > authorisation failed [Comparison complete]*[Invalid syntax]* > > [debug] mod_authnz_ldap.c(976): [client 192.168.1.196] [16822] auth_ldap > authorise: authorisation denied > > I've taken the timestamp away and added a line to make the log entries a > little more readable. The original examples I've seen for the directory > entry specify "memberUid" - but that's not how our LDAP is set up. I get a > different error if I try that. The group number is correct, and even with a > lot of twiddling, what I see is the "Invalid syntax" error - and the > authentication fails. I've verified that my user name is indeed a member of > the "test_me" LDAP group. > > Any thoughts? There's little documentation that I've uncovered, and much > of it is duplicated from other sites, apparently. > > Curt > -- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nlug-talk?hl=en > > > -- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nlug-talk?hl=en > -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en
