Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Authenticating Apache against Active Directory

  • 31-08-2009 10:58am
    #1
    Moderators, Music Moderators Posts: 23,363 Mod ✭✭✭✭


    I've been racking my brains over this for the past week or so and I still haven't managed to get it right. I'm trying to get Apache to authenticate against my AD domain and then to check if the user is a member of a group or not. If they are, allow them access.

    This is my ldap.conf file:
    <Location /private>
            AuthName "Protected Page"
            AuthType Basic
            AuthBasicProvider ldap
            AuthzLDAPAuthoritative on  
    
    	AuthLDAPUrl "ldap://global-catalogue.domain.com:3268/dc=com,dc=domain?sAMAccountName"
    
            AuthLDAPBindDN "apache@domain.com"
            AuthLDAPBindPassword "{P@55w0rd}"
            AuthLDAPGroupAttribute memberOf
            AuthLDAPGroupAttributeIsDN on     
            Require ldap-group CN=Admins,CN=Users,DC=domain,DC=com
            allow from all
    </Location>
    

    It seems that it can't find the memberOf attribute in the group:
    [Mon Aug 31 11:57:11 2009] [debug] mod_authnz_ldap.c(713): [client xx.xxx.xxx.xxx] [21441] auth_ldap authorise: require group "CN=Admins,CN=Users,DC=domain,DC=com": authorisation failed [Comparison no such attribute (adding to cache)][No such attribute]
    [Mon Aug 31 11:57:11 2009] [debug] mod_authnz_ldap.c(826): [client xx.xxx.xxx.xxx] [21441] auth_ldap authorise: authorisation denied
    

    It's driving me up the wall. Anyone have any ideas?


Comments

  • Moderators, Music Moderators Posts: 23,363 Mod ✭✭✭✭feylya


    Everyone as confused as I am? I think it's something to do with getting the uid for the user from AD and comparing that to memberUID in the groups but I can't get the uid for the user for some reason.


  • Registered Users, Registered Users 2 Posts: 6,762 ✭✭✭WizZard


    Have you tried using just "member" instead of "memberOf"?

    (I don't have an LDAP server handy so can't verify anything myself :()


  • Moderators, Music Moderators Posts: 23,363 Mod ✭✭✭✭feylya


    Yup, tried member, memberof, memberuid... At the moment, I using an ldap filter to get a user that is a user but also a member of the group. Remove the use of ldap-group. No luck so far :(


  • Registered Users, Registered Users 2 Posts: 6,762 ✭✭✭WizZard


    Can you see/export what is stored in the LDAP record for the group and user?

    Maybe try using the GID instead?
    Require ldap-attribute gidNumber=XX
    


  • Moderators, Music Moderators Posts: 23,363 Mod ✭✭✭✭feylya


    It's finding the group fine. It just can't compare attributes from the user account to it's members


  • Advertisement
Advertisement