On 8/23/07, Dale Schuster wrote:

...

I am using mod_auth_ldap on Apache 2.0.54 and SuSE 10.1. I have

"Gaël Lams" wrote on 08/27/2007 08:31:25 AM: things

...

configured to authenticate to an LDAP source running on IBM Lotus Domino directory. Authentication works fine. If I configure the <Location> to require a valid-user things work fine. But, when I "require group cn=groupname" things fall apart.

Could you paste the relevant lines from your apache's configuration?

AuthLDAPEnabled on AuthType Basic AuthName "Test Directory" AuthLDAPURL ldap://192.168.12.29/?cn AuthLDAPCompareDNOnServer off AuthLDAPGroupAttributeIsDN on AuthLDAPRemoteUserIsDN on AuthLDAPGroupAttribute member #Require group CN=SNC Require valid-user </Directory> The agent from IBM told me that they cannot use uid for authentication, but it was working. I did change to cn instead, but things are identical either way. With the config as-is above, the site works. But, if I change the valid-user to group, it breaks.

...

I don't get any messags in the apache logs telling me there was an authentication failure or anything, just

that

...

... a joint effort between me and the Notes administration team here at work, so I have very limited access to any Domino logs. However, we did get IBM involved, and we were told that Domino Dirctory Services is setup correctly.

I set-up apache's authentication to a Domino server using LDAP a 2/3 years ago and pretty much all the steps to be followed where on the apache' side.

It's really strange that there is nothing on apache's error log.

Yes, That is what I thought also. When viewing the website, the authentication box just keeps popping up over and over. If I type the password in wrong, that error is noted in the error_log, and if I type an invalid username, that info is also logged. However, when I type the correct username and password, NOTHING is logged. This is understandable, because the authentication success wouldn't be logged as an error. I'm sure it's the authorization phase that is failing, but the troublesome part is no errors are reported for that phase. The page isn't served, so the access_log shows as a 401 - access denied. Thanks, ~Dale P.S. I didn't notice this response until you responded to my re-post. I'm sorry for re-posting, but I use Lotus Notes for e-mail and it is very difficult to keep track of these threads on such a high-volume list. I haven't been able to figure out how to get Notes to view the [opensuse] messages in a threaded view. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org

"Gaël Lams" wrote on 08/31/2007 12:16:08 AM:

Hi,

...

AuthLDAPEnabled on AuthType Basic AuthName "Test Directory" AuthLDAPURL ldap://192.168.12.29/?cn AuthLDAPCompareDNOnServer off AuthLDAPGroupAttributeIsDN on AuthLDAPRemoteUserIsDN on AuthLDAPGroupAttribute member #Require group CN=SNC Require valid-user </Directory>

I think you should use

Did you perform an ldapsearch against you domino directory and do you see in the members list the use you are trying to authenticate? you should use this for the ldapsearch: "(&(objectClass=dominoGroup)(cn=SNC))"

I can do ldapsearch with success. ldapsearch -x -H ldap://192.168.12.29 "(&(CN=SNC)(member=CN=Dale Schuster,O=SNCustomer))" dn # extended LDIF # # LDAPv3 # base <> with scope sub # filter: (&(CN=SNC)(member=CN=Dale Schuster,O=SNCustomer)) # requesting: dn # # SNC dn: CN=SNC # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Or even the following: ldapsearch -x -H ldap://192.168.12.29 -D "cn=SNC" member="CN=Dale Schuster,O=SNCustomer" dn # extended LDIF # # LDAPv3 # base <> with scope sub # filter: member=CN=Dale Schuster,O=SNCustomer # requesting: dn # # SNC dn: CN=SNC # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1

Using the cn should be fine. Are you sure you really need " AuthLDAPGroupAttributeIsDN on" and "AuthLDAPRemoteUserIsDN on". I would remove them, especially because I see them indicated as experimental on the apache's web site and I don't think you need them.

I removed both of those directives, and the result is still exactly the same. It is frustrating not seeing anything in the logs. Do you know of what I can do to log more info? Perhaps there is something from openLDAP I can view. ~Dale -- Dale Schuster Systems Administrator Sierra Nevada Corporation Information Systems -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org