[opensuse] Apache Require Group and Lotus Domino LDAP
I am using mod_auth_ldap on Apache 2.0.54 and SuSE 10.1. I have things configured to authenticate to an LDAP source running on IBM Lotus Domino directory. Authentication works fine. If I configure the <Location> to require a valid-user things work fine. But, when I "require group cn=groupname" things fall apart. I don't get any messags in the apache logs telling me there was an authentication failure or anything, just that the login box pops up over and over again when accessing the site. I can do ldapsearch to find all the attributes I'm using for authentication and authorization. I just don't know exactly what is happening behind the scenes. I don't know what sort of debug levels I can increase and hopefully gain more information in the apache logs, etc. This project is a joint effort between me and the Notes administration team here at work, so I have very limited access to any Domino logs. However, we did get IBM involved, and we were told that Domino Dirctory Services is setup correctly. ~Dale -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 8/23/07, Dale Schuster
I am using mod_auth_ldap on Apache 2.0.54 and SuSE 10.1. I have things configured to authenticate to an LDAP source running on IBM Lotus Domino directory. Authentication works fine. If I configure the <Location> to require a valid-user things work fine. But, when I "require group cn=groupname" things fall apart.
Could you paste the relevant lines from your apache's configuration?
I don't get any messags in the apache logs telling me there was an authentication failure or anything, just that ... a joint effort between me and the Notes administration team here at work, so I have very limited access to any Domino logs. However, we did get IBM involved, and we were told that Domino Dirctory Services is setup correctly.
I set-up apache's authentication to a Domino server using LDAP a 2/3 years ago and pretty much all the steps to be followed where on the apache' side. It's really strange that there is nothing on apache's error log. Regards, Gael -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 8/23/07, Dale Schuster
wrote: I am using mod_auth_ldap on Apache 2.0.54 and SuSE 10.1. I have
"Gaël Lams"
configured to authenticate to an LDAP source running on IBM Lotus Domino directory. Authentication works fine. If I configure the <Location> to require a valid-user things work fine. But, when I "require group cn=groupname" things fall apart.
Could you paste the relevant lines from your apache's configuration?
I don't get any messags in the apache logs telling me there was an authentication failure or anything, just
that
... a joint effort between me and the Notes administration team here at work, so I have very limited access to any Domino logs. However, we did get IBM involved, and we were told that Domino Dirctory Services is setup correctly.
I set-up apache's authentication to a Domino server using LDAP a 2/3 years ago and pretty much all the steps to be followed where on the apache' side.
It's really strange that there is nothing on apache's error log.
Yes, That is what I thought also. When viewing the website, the authentication box just keeps popping up over and over. If I type the password in wrong, that error is noted in the error_log, and if I type an invalid username, that info is also logged. However, when I type the correct username and password, NOTHING is logged. This is understandable, because the authentication success wouldn't be logged as an error. I'm sure it's the authorization phase that is failing, but the troublesome part is no errors are reported for that phase. The page isn't served, so the access_log shows as a 401 - access denied. Thanks, ~Dale P.S. I didn't notice this response until you responded to my re-post. I'm sorry for re-posting, but I use Lotus Notes for e-mail and it is very difficult to keep track of these threads on such a high-volume list. I haven't been able to figure out how to get Notes to view the [opensuse] messages in a threaded view. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Hi,
AuthLDAPEnabled on AuthType Basic AuthName "Test Directory" AuthLDAPURL ldap://192.168.12.29/?cn AuthLDAPCompareDNOnServer off AuthLDAPGroupAttributeIsDN on AuthLDAPRemoteUserIsDN on AuthLDAPGroupAttribute member #Require group CN=SNC Require valid-user </Directory>
I think you should use Did you perform an ldapsearch against you domino directory and do you see in the members list the use you are trying to authenticate? you should use this for the ldapsearch: "(&(objectClass=dominoGroup)(cn=SNC))"
The agent from IBM told me that they cannot use uid for authentication, but it was working. I did change to cn instead, but things are identical either way. With the config as-is above, the site works. But, if I change the valid-user to group, it breaks.
Using the cn should be fine. Are you sure you really need " AuthLDAPGroupAttributeIsDN on" and "AuthLDAPRemoteUserIsDN on". I would remove them, especially because I see them indicated as experimental on the apache's web site and I don't think you need them.
P.S. I didn't notice this response until you responded to my re-post. I'm sorry for re-posting, but I use Lotus Notes for e-mail and it is very difficult to keep track of these threads on such a high-volume list. I haven't been able to figure out how to get Notes to view the [opensuse] messages in a threaded view.
There is a View by Thread on the Lotus Notes client but the fact is that, for most of the mailing list I use gmail and I've been using Thunderbird to read my lotus email for the past few months -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
"Gaël Lams"
Hi,
AuthLDAPEnabled on AuthType Basic AuthName "Test Directory" AuthLDAPURL ldap://192.168.12.29/?cn AuthLDAPCompareDNOnServer off AuthLDAPGroupAttributeIsDN on AuthLDAPRemoteUserIsDN on AuthLDAPGroupAttribute member #Require group CN=SNC Require valid-user </Directory> I think you should use
Did you perform an ldapsearch against you domino directory and do you see in the members list the use you are trying to authenticate? you should use this for the ldapsearch: "(&(objectClass=dominoGroup)(cn=SNC))"
I can do ldapsearch with success. ldapsearch -x -H ldap://192.168.12.29 "(&(CN=SNC)(member=CN=Dale Schuster,O=SNCustomer))" dn # extended LDIF # # LDAPv3 # base <> with scope sub # filter: (&(CN=SNC)(member=CN=Dale Schuster,O=SNCustomer)) # requesting: dn # # SNC dn: CN=SNC # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Or even the following: ldapsearch -x -H ldap://192.168.12.29 -D "cn=SNC" member="CN=Dale Schuster,O=SNCustomer" dn # extended LDIF # # LDAPv3 # base <> with scope sub # filter: member=CN=Dale Schuster,O=SNCustomer # requesting: dn # # SNC dn: CN=SNC # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
Using the cn should be fine. Are you sure you really need " AuthLDAPGroupAttributeIsDN on" and "AuthLDAPRemoteUserIsDN on". I would remove them, especially because I see them indicated as experimental on the apache's web site and I don't think you need them.
I removed both of those directives, and the result is still exactly the same. It is frustrating not seeing anything in the logs. Do you know of what I can do to log more info? Perhaps there is something from openLDAP I can view. ~Dale -- Dale Schuster Systems Administrator Sierra Nevada Corporation Information Systems -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
Dale Schuster
-
Gaël Lams