Hi, Mike Williams schrieb: > On Thursday 12 April 2007 06:13:44 Wolfgang Liebich wrote: > >> OK - it is in testing. Has anyone here experiences on how stable it is >> to run? Maybe I need it b/c of a new auth module >> which does not seem to be available in apache 2.0.58... >> > > Oddly enough... > http://archives.gentoo.org/gentoo-server/msg_11696.xml > > (I've not used the auth modules though) > Thank you all for your answers. I will try to press forward with apache 2.2.4. The reason I need it is that I need to authentificate/authorize users agains a Windows ActiveDirectory domain. This is done using LDAP. Until now we only had users coming from one OU served by our DC, so that setup worked w/o a hitch. BUT now we have gotten a user from a different OU, and ... well, I could not get mod_auth_ldap to lookup the user from a BaseDN one level up (BUT searching the user via "ldapsearch" cmdline worked - IDGI....). Apache's "own" mod_auth_ldap (which you get with USE="ldap") didn't work, either.. SO I decided to go forward to apache 2.2.4 and use 2 LDAP authentification instances, each with a working BaseDN pointing to the wanted OU (same server, only the most specific OU in the BaseDN different) and unify them with mod_authn_alias. For simplicity I used apache's own mod_authnz_ldap. This setup seems to work, with some caveats: - You have to mark both LDAP auth module configurations with AuthzLDAPAuthoritative=off - If you want to restrict access to your site to users belonging to a specified group, you cannot just juse mod_authnz_ldap's "require ldap-group" feature b/c the module doing authorization checks is mod-authn-alias -- which has NO idea what "require ldap-group" means. Sigh. BUT: -- you can do some evil tricks with the ldap URL to fake this "require ldap-group" trick: You modify the search string (the last part of the LDAP url to something like "(&(<original part, e.g. 'objectType=*')(memberOf=<DN of the user group>))". This has the effect that users not belonging to your wanted group are just not found. This is NOT the same as saying "users not in this group are not AUTHORIZED", but it is a working fake.
Well, I've got a working system this way, therefore my boss will probably ask me to stop researching further :-). But I'm not totally satisfied with the current solution, b/c - I still don't get the REASON why the ldap auth modules can't find the user(s) but ldapsearch can. - The solution is ugly :-) Seriously - I want to be able to use a single authn/authz provider. Maybe mod_auth_kerberos would be better? - Earlier on I looked into mod_auth_pam (for authentification/authorization against our NIS/YP domain). BUT I didn't use it b/c it seemed to REQUIRE that apache gets read access for /etc/shadow. WHY? If I use pam+NIS, the local shadow pwd file should never needed to be read, right? (Also a fellow sysadmin cautioned me agains mod_auth_pam b/c he claimed it to be rather dead - i.e. not developed further). Comments/Experiences would be very welcome! Ciao, Wolf"english is NOT my native tongue:-("gang -- [EMAIL PROTECTED] mailing list