LinuxQuestions.org
Help answer threads with 0 replies.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
Reload this Page [SOLVED] mod_authz_ldap + Active Directory: "require group" not working?
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 01-19-2010, 03:48 AM   #1
quanta
Member
 
Registered: Aug 2007
Location: Vietnam
Distribution: RedHat based, Debian based, Slackware, Gentoo
Posts: 724

Rep: Reputation: 101Reputation: 101
mod_authz_ldap + Active Directory: "require group" not working?

Hi all,

I want to setup AD authentication with Apache. My authz_ldap.conf is below:
Code:
LoadModule authz_ldap_module modules/mod_authz_ldap.so

<IfModule mod_authz_ldap.c>
	
   <Location />
	AuthBasicProvider ldap
	AuthzLDAPAuthoritative Off
	AuthLDAPURL ldap://10.128.28.3:3268/dc=linuxquestions,dc=org?sAMAccountName
	AuthLDAPBindDN cn=anonbinduser,dc=linuxquestions,dc=org
	AuthLDAPBindPassword secret
	AuthType Basic
	AuthName "Authorization required"

	AuthzLDAPGroupBase		ou=Elite,dc=linuxquestions,dc=org
	AuthzLDAPGroupkey		cn
	AuthzLDAPMemberKey		member
	AuthzLDAPSetGroupAuth	user
	#require group elite
	require valid-user
	AuthzLDAPLogLevel debug
   </Location>

</IfModule>
The "require valid-user" directive works fine but I want to limit authentication to the specific group in AD. I tried some follow configurations:
Code:
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN off
require group "cn=elite,ou=xx,dc=linuxquestions,dc=org"
Code:
AuthzLDAPGroupBase		ou=xx,dc=linuxquestions,dc=org
AuthzLDAPGroupkey		cn
AuthzLDAPMemberKey		member
AuthzLDAPSetGroupAuth	user
require group elite
and turn the AuthzLDAPAuthoritative directive to "On". If I set it to "Off", I got the following error:
Quote:
[Tue Jan 19 10:59:01 2010] [error] [client 192.168.200.130] access to /cgi-bin/routers2.cgi failed, reason: require directives present and no Authoritative handler.
Restart Apache and test with some AD accounts, but I always get the following error:
Quote:
[Tue Jan 19 10:26:31 2010] [debug] mod_authnz_ldap.c(454): [client 172.16.128.155] [21362] auth_ldap authenticate: accepting quan.ta
[Tue Jan 19 10:26:31 2010] [debug] mod_authnz_ldap.c(826): [client 172.16.128.155] [21362] auth_ldap authorise: authorisation denied
Any help will be highly appreciated.

If I config the authz_ldap.conf following authz module style:
Code:
      AuthType basic
      AuthName "Authorization required"

      AuthzLDAPMethod ldap
    
      AuthzLDAPServer 10.128.28.3:3268
	  AuthzLDAPBindDN "anonbinduser@linuxquestions.org"
	  AuthzLDAPBindPassword "secret"

	  AuthzLDAPUserKey sAMAccountName
      AuthzLDAPUserBase "dc=linuxquestions,dc=org"
      #AuthzLDAPUserScope subtree

	AuthzLDAPAuthoritative Off
	AuthUserFile /usr/local/share/apache/htpasswd

    require valid-user

	AuthzLDAPLogLevel info
I got "user quan.ta not found" error.
Last edited by quanta; 01-21-2010 at 08:19 AM.
 
Old 01-25-2010, 10:40 PM   #2
quanta
Member
 
Registered: Aug 2007
Location: Vietnam
Distribution: RedHat based, Debian based, Slackware, Gentoo
Posts: 724

Original Poster
Rep: Reputation: 101Reputation: 101
Has anyone had success with the "require group" directive in mod_authz_ldap? Could you please give me an example configuration?
 
Old 02-11-2010, 11:46 AM   #3
quanta
Member
 
Registered: Aug 2007
Location: Vietnam
Distribution: RedHat based, Debian based, Slackware, Gentoo
Posts: 724

Original Poster
Rep: Reputation: 101Reputation: 101
Lightbulb
Hi all,

Problem solved with the final configuration file like below:
Code:
        AuthBasicProvider ldap 
	AuthzLDAPAuthoritative On
	AuthLDAPURL ldap://10.128.28.3:3268/dc=xx,dc=com?sAMAccountName
	AuthLDAPBindDN cn=anonbinduser,dc=xx,dc=com
	AuthLDAPBindPassword secret
	AuthType Basic
	AuthName "Authorization required"

	require ldap-group cn=elite,ou=xx,dc=xx,dc=com
	AuthzLDAPLogLevel debug
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
apache active directory require group.. zerocool22 Linux - Server 0 05-06-2008 03:38 AM
2 logical Volumes in volume group "VolGroup00" now active shivaraj.shetty Linux - Kernel 4 04-15-2008 02:11 AM
Is there an "Active Directory" type for Linux Service pbowrin Linux - Enterprise 5 12-06-2006 03:53 PM
php connect "active directory" script paul_mat Linux - Software 0 05-03-2006 08:01 PM
Authenticating to Samba share using "Active Directory Server" hlslaughter Linux - Software 36 07-23-2004 10:59 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 05:49 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration