Hi all,
I want to setup AD authentication with Apache. My authz_ldap.conf is below:
Code:
LoadModule authz_ldap_module modules/mod_authz_ldap.so
<IfModule mod_authz_ldap.c>
<Location />
AuthBasicProvider ldap
AuthzLDAPAuthoritative Off
AuthLDAPURL ldap://10.128.28.3:3268/dc=linuxquestions,dc=org?sAMAccountName
AuthLDAPBindDN cn=anonbinduser,dc=linuxquestions,dc=org
AuthLDAPBindPassword secret
AuthType Basic
AuthName "Authorization required"
AuthzLDAPGroupBase ou=Elite,dc=linuxquestions,dc=org
AuthzLDAPGroupkey cn
AuthzLDAPMemberKey member
AuthzLDAPSetGroupAuth user
#require group elite
require valid-user
AuthzLDAPLogLevel debug
</Location>
</IfModule>
The "require valid-user" directive works fine but I want to limit authentication to the specific group in AD. I tried some follow configurations:
Code:
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN off
require group "cn=elite,ou=xx,dc=linuxquestions,dc=org"
Code:
AuthzLDAPGroupBase ou=xx,dc=linuxquestions,dc=org
AuthzLDAPGroupkey cn
AuthzLDAPMemberKey member
AuthzLDAPSetGroupAuth user
require group elite
and turn the AuthzLDAPAuthoritative directive to "On". If I set it to "Off", I got the following error:
Quote:
[Tue Jan 19 10:59:01 2010] [error] [client 192.168.200.130] access to /cgi-bin/routers2.cgi failed, reason: require directives present and no Authoritative handler.
|
Restart Apache and test with some AD accounts, but I always get the following error:
Quote:
[Tue Jan 19 10:26:31 2010] [debug] mod_authnz_ldap.c(454): [client 172.16.128.155] [21362] auth_ldap authenticate: accepting quan.ta
[Tue Jan 19 10:26:31 2010] [debug] mod_authnz_ldap.c(826): [client 172.16.128.155] [21362] auth_ldap authorise: authorisation denied
|
Any help will be highly appreciated.
If I config the authz_ldap.conf following authz module style:
Code:
AuthType basic
AuthName "Authorization required"
AuthzLDAPMethod ldap
AuthzLDAPServer 10.128.28.3:3268
AuthzLDAPBindDN "anonbinduser@linuxquestions.org"
AuthzLDAPBindPassword "secret"
AuthzLDAPUserKey sAMAccountName
AuthzLDAPUserBase "dc=linuxquestions,dc=org"
#AuthzLDAPUserScope subtree
AuthzLDAPAuthoritative Off
AuthUserFile /usr/local/share/apache/htpasswd
require valid-user
AuthzLDAPLogLevel info
I got "user quan.ta not found" error.