Re: [gentoo-user] Why is apache 2.2 hard masked? - comments to my (preliminary) solution

2007-04-16 Thread Wolfgang Liebich 
Hi,
Mike Williams schrieb:
 On Thursday 12 April 2007 06:13:44 Wolfgang Liebich wrote:
   
 OK - it is in testing. Has anyone here experiences on how stable it is
 to run? Maybe I need it b/c of a new auth module
 which does not seem to be available in apache 2.0.58...
 

 Oddly enough...
 http://archives.gentoo.org/gentoo-server/msg_11696.xml

 (I've not used the auth modules though)
   
Thank you all for your answers. I will try to press forward with apache
2.2.4. The reason I need it is that I need to authentificate/authorize users
agains a Windows ActiveDirectory domain. This is done using LDAP. Until
now we only had users coming from one OU served by our DC, so that
setup worked w/o a hitch. BUT now we have gotten a user from a different
OU, and ... well, I could not get mod_auth_ldap to lookup the user from
a BaseDN
one level up (BUT searching the user via ldapsearch cmdline worked -
IDGI).
Apache's own mod_auth_ldap (which you get with USE=ldap) didn't
work, either..
SO I decided to go forward to apache 2.2.4 and use 2 LDAP
authentification instances, each with a working BaseDN pointing to the
wanted OU (same server, only the
most specific OU in the BaseDN different) and unify them with
mod_authn_alias. For simplicity I used apache's own mod_authnz_ldap.
This setup seems to work, with some caveats:
- You have to mark both LDAP auth module configurations with
AuthzLDAPAuthoritative=off
- If you want to restrict access to your site to users belonging to a
specified group, you cannot just juse mod_authnz_ldap's require
ldap-group feature b/c the module
doing authorization checks is mod-authn-alias -- which has NO idea what
require ldap-group means. Sigh. BUT:
 -- you can do some evil tricks with the ldap URL to fake this require
ldap-group trick: You modify the search string (the last part of the
LDAP url to something like
   ((original part, e.g. 'objectType=*')(memberOf=DN of the user
group)). This has the effect that users not belonging to your wanted
group are just not found.
 This is NOT the same as saying users not in this group are not
AUTHORIZED, but it is a working fake.

Well, I've got a working system this way, therefore my boss will
probably ask me to stop researching further :-).
But I'm not totally satisfied with the current solution, b/c
- I still don't get the REASON why the ldap auth modules can't find the
user(s) but ldapsearch can.
- The solution is ugly :-) Seriously - I want to be able to use a single
authn/authz provider. Maybe mod_auth_kerberos would be better?
- Earlier on I looked into mod_auth_pam (for
authentification/authorization against our NIS/YP domain). BUT I didn't
use it b/c it seemed to REQUIRE that apache
gets read access for /etc/shadow. WHY? If I use pam+NIS, the local
shadow pwd file should never needed to be read, right? (Also a fellow
sysadmin cautioned me agains mod_auth_pam
b/c he claimed it to be rather  dead - i.e. not developed further).
Comments/Experiences would be very welcome!
Ciao,
Wolfenglish is NOT my native tongue:-(gang
-- 
[EMAIL PROTECTED] mailing list

Re: [gentoo-user] Why is apache 2.2 hard masked?

2007-04-12 Thread Mike Williams 
On Thursday 12 April 2007 06:13:44 Wolfgang Liebich wrote:
 OK - it is in testing. Has anyone here experiences on how stable it is
 to run? Maybe I need it b/c of a new auth module
 which does not seem to be available in apache 2.0.58...

Oddly enough...
http://archives.gentoo.org/gentoo-server/msg_11696.xml

(I've not used the auth modules though)

-- 
Mike Williams
-- 
[EMAIL PROTECTED] mailing list

[gentoo-user] Why is apache 2.2 hard masked?

2007-04-11 Thread Wolfgang Liebich 

Hi,
I'm fighting with authentification problems (see my further mails about 
mod_auth_ldap) and

maybe a new module available for apache 2.2 might solve them.
BUT apache 2.2 is hard masked - why? Any experiences?
- TIA
- Wolfgang
--
gentoo-user@gentoo.org mailing list

Re: [gentoo-user] Why is apache 2.2 hard masked?

2007-04-11 Thread Vladimir Rusinov 

On 4/11/07, Wolfgang Liebich [EMAIL PROTECTED] wrote:


I'm fighting with authentification problems (see my further mails about
mod_auth_ldap) and
maybe a new module available for apache 2.2 might solve them.
BUT apache 2.2 is hard masked - why? Any experiences?



$ emerge -pv =apache-2.2

These are the packages that would be merged, in order:

Calculating dependencies |
!!! All ebuilds that could satisfy =apache-2.2 have been masked.
!!! One of the following masked packages is required to complete your
request:
- net-www/apache-2.2.4 (masked by: package.mask, ~x86 keyword)
# Michael Stewart [EMAIL PROTECTED] (03 Feb 2006)
# Mask for testing of new Apache 2.2 version

If you really want apache-2.2, use package.unmask

--
WBR, Vladimir Rusinov aka B.
[EMAIL PROTECTED]
[EMAIL PROTECTED]

Re: [gentoo-user] Why is apache 2.2 hard masked?

2007-04-11 Thread Wolfgang Liebich 

Vladimir Rusinov schrieb:
On 4/11/07, *Wolfgang Liebich* [EMAIL PROTECTED] 
mailto:[EMAIL PROTECTED] wrote:


I'm fighting with authentification problems (see my further mails
about
mod_auth_ldap) and
maybe a new module available for apache 2.2 might solve them.
BUT apache 2.2 is hard masked - why? Any experiences?


$ emerge -pv =apache-2.2

These are the packages that would be merged, in order:

Calculating dependencies |
!!! All ebuilds that could satisfy =apache-2.2  have been masked.
!!! One of the following masked packages is required to complete your 
request:

- net-www/apache-2.2.4 (masked by: package.mask, ~x86 keyword)
# Michael Stewart  [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] 
(03 Feb 2006)

# Mask for testing of new Apache 2.2 version

If you really want apache-2.2, use package.unmask
OK - it is in testing. Has anyone here experiences on how stable it is 
to run? Maybe I need it b/c of a new auth module

which does not seem to be available in apache 2.0.58...

Ciao,
Wolfgang
--
[EMAIL PROTECTED] mailing list