23 Aug
2007
23 Aug
'07
10:54 a.m.
I am using mod_auth_ldap on Apache 2.0.54 and SuSE 10.1. I have things
configured to authenticate to an LDAP source running on IBM Lotus Domino
directory. Authentication works fine. If I configure the <Location> to
require a valid-user things work fine. But, when I "require group
cn=groupname" things fall apart. I don't get any messags in the apache
logs telling me there was an authentication failure or anything, just that
the login box pops up over and over again when accessing the site. I can
do ldapsearch to find all the attributes I'm using for authentication and
authorization. I just don't know exactly what is happening behind the
scenes. I don't know what sort of debug levels I can increase and
hopefully gain more information in the apache logs, etc. This project is
a joint effort between me and the Notes administration team here at work,
so I have very limited access to any Domino logs. However, we did get IBM
involved, and we were told that Domino Dirctory Services is setup
correctly.
~Dale
--
To unsubscribe, e-mail: opensuse+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse+help(a)opensuse.org
27 Aug
27 Aug
10:31 a.m.
On 8/23/07, Dale Schuster <Dale.Schuster(a)sncorp.com> wrote:
I am using mod_auth_ldap on Apache 2.0.54 and SuSE
10.1. I have things
configured to authenticate to an LDAP source running on IBM Lotus Domino
directory. Authentication works fine. If I configure the <Location> to
require a valid-user things work fine. But, when I "require group
cn=groupname" things fall apart.
Could you paste the relevant lines from your apache's configuration?
I don't get any messags in the apache
logs telling me there was an authentication failure or anything, just that
...
a joint effort between me and the Notes administration team here at work,
so I have very limited access to any Domino logs. However, we did get IBM
involved, and we were told that Domino Dirctory Services is setup
correctly.
I set-up apache's authentication to a Domino server using LDAP a 2/3
years ago and pretty much all the steps to be followed where on the
apache' side.
It's really strange that there is nothing on apache's error log.
Regards,
Gael
--
To unsubscribe, e-mail: opensuse+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse+help(a)opensuse.org
30 Aug
30 Aug
11:59 a.m.
"Gaël Lams" <lamsgael(a)gmail.com> wrote on 08/27/2007 08:31:25 AM:
<Directory "/srv/www/secdocs/testing">
AuthLDAPEnabled on
AuthType Basic
AuthName "Test Directory"
AuthLDAPURL ldap://192.168.12.29/?cn
AuthLDAPCompareDNOnServer off
AuthLDAPGroupAttributeIsDN on
AuthLDAPRemoteUserIsDN on
AuthLDAPGroupAttribute member
#Require group CN=SNC
Require valid-user
</Directory>
The agent from IBM told me that they cannot use uid for authentication,
but it was working. I did change to cn instead, but things are identical
either way. With the config as-is above, the site works. But, if I
change the valid-user to group, it breaks.
Yes, That is what I thought also. When viewing the website, the
authentication box just keeps popping up over and over. If I type the
password in wrong, that error is noted in the error_log, and if I type an
invalid username, that info is also logged. However, when I type the
correct username and password, NOTHING is logged. This is understandable,
because the authentication success wouldn't be logged as an error. I'm
sure it's the authorization phase that is failing, but the troublesome
part is no errors are reported for that phase. The page isn't served, so
the access_log shows as a 401 - access denied.
Thanks,
~Dale
P.S. I didn't notice this response until you responded to my re-post. I'm
sorry for re-posting, but I use Lotus Notes for e-mail and it is very
difficult to keep track of these threads on such a high-volume list. I
haven't been able to figure out how to get Notes to view the [opensuse]
messages in a threaded view.
--
To unsubscribe, e-mail: opensuse+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse+help(a)opensuse.org
On 8/23/07, Dale Schuster
<Dale.Schuster(a)sncorp.com> wrote:
> I am using mod_auth_ldap on Apache 2.0.54 and SuSE 10.1. I have
things
> configured to authenticate to an LDAP source
running on IBM Lotus
Domino
> directory. Authentication works fine. If I
configure the <Location>
to
require a
valid-user things work fine. But, when I "require group
cn=groupname" things fall apart.
Could you paste the relevant lines from your apache's configuration?
> I don't get any messags in the apache
> logs telling me there was an authentication failure or anything, just
that
> ...
> a joint effort between me and the Notes administration team here at
work,
> so I have very limited access to any Domino logs.
However, we did get
IBM
involved, and
we were told that Domino Dirctory Services is setup
correctly.
I set-up apache's authentication to a Domino server using LDAP a 2/3
years ago and pretty much all the steps to be followed where on the
apache' side.
It's really strange that there is nothing on apache's error log.
31 Aug
31 Aug
2:16 a.m.
Hi,
<Directory
"/srv/www/secdocs/testing">
AuthLDAPEnabled on
AuthType Basic
AuthName "Test Directory"
AuthLDAPURL ldap://192.168.12.29/?cn
AuthLDAPCompareDNOnServer off
AuthLDAPGroupAttributeIsDN on
AuthLDAPRemoteUserIsDN on
AuthLDAPGroupAttribute member
#Require group CN=SNC
Require valid-user
</Directory>
I think you should use
Did you perform an ldapsearch against you domino directory and do you
see in the members list the use you are trying to authenticate?
you should use this for the ldapsearch:
"(&(objectClass=dominoGroup)(cn=SNC))"
The agent from IBM told me that they cannot use uid
for authentication,
but it was working. I did change to cn instead, but things are identical
either way. With the config as-is above, the site works. But, if I
change the valid-user to group, it breaks.
Using the cn should be fine. Are you sure you really need "
AuthLDAPGroupAttributeIsDN on" and "AuthLDAPRemoteUserIsDN on". I
would remove them, especially because I see them indicated as
experimental on the apache's web site and I don't think you need them.
P.S. I didn't notice this response until you
responded to my re-post. I'm
sorry for re-posting, but I use Lotus Notes for e-mail and it is very
difficult to keep track of these threads on such a high-volume list. I
haven't been able to figure out how to get Notes to view the [opensuse]
messages in a threaded view.
There is a View by Thread on the Lotus Notes client but the fact is
that, for most of the mailing list I use gmail and I've been using
Thunderbird to read my lotus email for the past few months
--
To unsubscribe, e-mail: opensuse+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse+help(a)opensuse.org
12:10 p.m.
"Gaël Lams" <lamsgael(a)gmail.com> wrote on 08/31/2007 12:16:08 AM:
Hi,
"(&(objectClass=dominoGroup)(cn=SNC))"
I can do ldapsearch with success.
ldapsearch -x -H ldap://192.168.12.29 "(&(CN=SNC)(member=CN=Dale
Schuster,O=SNCustomer))" dn
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (&(CN=SNC)(member=CN=Dale Schuster,O=SNCustomer))
# requesting: dn
#
# SNC
dn: CN=SNC
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Or even the following:
ldapsearch -x -H ldap://192.168.12.29 -D "cn=SNC" member="CN=Dale
Schuster,O=SNCustomer" dn
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: member=CN=Dale Schuster,O=SNCustomer
# requesting: dn
#
# SNC
dn: CN=SNC
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
<Directory
"/srv/www/secdocs/testing">
AuthLDAPEnabled on
AuthType Basic
AuthName "Test Directory"
AuthLDAPURL ldap://192.168.12.29/?cn
AuthLDAPCompareDNOnServer off
AuthLDAPGroupAttributeIsDN on
AuthLDAPRemoteUserIsDN on
AuthLDAPGroupAttribute member
#Require group CN=SNC
Require valid-user
</Directory>
I think you should use
Did you perform an ldapsearch against you domino directory and do you
see in the members list the use you are trying to authenticate?
you should use this for the ldapsearch:
Using the cn should be fine. Are you sure you really
need "
AuthLDAPGroupAttributeIsDN on" and "AuthLDAPRemoteUserIsDN on". I
would remove them, especially because I see them indicated as
experimental on the apache's web site and I don't think you need them.
I removed both of those directives, and the result is still exactly the
same. It is frustrating not seeing anything in the logs. Do you know of
what I can do to log more info? Perhaps there is something from openLDAP
I can view.
~Dale
--
Dale Schuster
Systems Administrator
Sierra Nevada Corporation
Information Systems
--
To unsubscribe, e-mail: opensuse+unsubscribe(a)opensuse.org
For additional commands, e-mail: opensuse+help(a)opensuse.org
4938
days inactive
4946
days old
4 comments
2 participants
participants (2)
-
Dale Schuster -
Gaël Lams