On 3/20/07, Todd Nine <[EMAIL PROTECTED]> wrote:
Hi all,
  I'm having a bit of trouble getting mod_authz_ldap to work.  I have my OU
layout and my posix groups layout included.  I'm simply trying to
authenticate the user "tnine" against the group
 cn=development,ou=Groups,dc=arocksoftware,dc=com


 I receive the following error, so I'm obviously not getting authorized

auth_ldap authenticate: user tnine authentication failed; URI /vcproject/
[ldap_search_ext_s() for user failed][No such object]


 I have the following settings in my authorization directive.  But I have
several questions.  Any help would be greatly appreciated.

1. I'm using a posixGroup, is that not possible?
2. I have set the log level to debug, but I only get the above line in the
error_log.  I'd like to see the query string its issuing, is that possible?
3. I thought that by setting the AuthLDAPGroupAttribute it would find my
username and authenticate me, is that not correct?

I personally always look on the ldap back-end side to see the query
string being issued. Which ldap directory are you using

Before working with a group, do you have the ldap authentication
working for a single user?

"require valid-user" directive requires that mod_authz_user be loaded
and that the AuthzLDAPAuthoritative directive be set to off but you
have it set to off
(http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqvaliduser).

AuthLDAPGroupAttribute specifies which LDAP attributes are used to
check for group membership.
The require directives are used during the authorization phase: are
you sure you're right in specifying both require valid-user and
require ldap-group? As said a few lines below, require valid-user
require an additional authorization modules (mod_authz_user). Why
don't use only require ldap-group? This whay you could let
"AuthzLDAPAuthoritative On"?

Regards,

Gaël

Reply via email to