Apache authentication with LDAP group and group file

Apache authentication with LDAP group and group file

Post by David Co » Wed, 15 Aug 2001 09:44:27



A user is allowed access to web pages if they are authenticated
by their password and membership in a group.  The user's password
is authenticated by the LDAP server.  If the user in the LDAP group,
then they are accepted.  If they are not in the LDAP group, then
the local group file is searched.   If they are in the group file,
they are accepted.

There are predefined groups on the corporate LDAP server, but I
don't have write access to the server.  How can the above scenario
be implemented?  I'm using Apache 1.3.20 with mod_auth_ldap 2.4.

David

 
 
 

Apache authentication with LDAP group and group file

Post by Joshua Sliv » Wed, 15 Aug 2001 10:03:06



> A user is allowed access to web pages if they are authenticated
> by their password and membership in a group.  The user's password
> is authenticated by the LDAP server.  If the user in the LDAP group,
> then they are accepted.  If they are not in the LDAP group, then
> the local group file is searched.   If they are in the group file,
> they are accepted.
> There are predefined groups on the corporate LDAP server, but I
> don't have write access to the server.  How can the above scenario
> be implemented?  I'm using Apache 1.3.20 with mod_auth_ldap 2.4.

See the AuthLDAPAuthoritative directive.  It serves exactly this
purpose.  Most Apache Auth modules have similar directives.

--
Joshua Slive

http://slive.ca/

 
 
 

Apache authentication with LDAP group and group file

Post by David Co » Thu, 16 Aug 2001 05:28:48



> See the AuthLDAPAuthoritative directive.  It serves exactly this
> purpose.  Most Apache Auth modules have similar directives.

I do use AuthLDAPAuthoritative.  Setting it to 'yes' will authenticate
against an LDAP group and setting it to 'no' will authenticate against
the group file.  The user needs to be in the ldap group _or_ the group
file, so I would like away to check both.

<Directory "/home/wldc10/usr/apache/htdocs/man/man1">
AllowOverride AuthConfig
AuthType Basic
AuthName "Restricted Directory"
AuthLDAPAuthoritative no
LDAP_Server ids.mot.com      
LDAP_Port 389
Base_DN "ou=People, ou=Intranet, dc=mot, dc=com"
UID_Attr motCoreID
AuthGroupFile /home/wldc10/usr/apache/conf/groups.conf
Require group admin
</Directory>

David

 
 
 

Apache authentication with LDAP group and group file

Post by Joshua Sliv » Thu, 16 Aug 2001 06:19:17




>> See the AuthLDAPAuthoritative directive.  It serves exactly this
>> purpose.  Most Apache Auth modules have similar directives.
> I do use AuthLDAPAuthoritative.  Setting it to 'yes' will authenticate
> against an LDAP group and setting it to 'no' will authenticate against
> the group file.  The user needs to be in the ldap group _or_ the group
> file, so I would like away to check both.

Ooops.  The author of mod_auth_ldap seems to have messed up here.
AuthAuthoritative and AuthdbmAuthoritative and AuthDBAuthoritative
all do what I described, but AuthLDAPAuthoritative is completely
different.  It appears that you can't do what you want with
mod_auth_ldap.

--
Joshua Slive

http://slive.ca/

 
 
 

Apache authentication with LDAP group and group file

Post by Joshua Sliv » Thu, 16 Aug 2001 06:27:42





>>> See the AuthLDAPAuthoritative directive.  It serves exactly this
>>> purpose.  Most Apache Auth modules have similar directives.
>> I do use AuthLDAPAuthoritative.  Setting it to 'yes' will authenticate
>> against an LDAP group and setting it to 'no' will authenticate against
>> the group file.  The user needs to be in the ldap group _or_ the group
>> file, so I would like away to check both.
> Ooops.  The author of mod_auth_ldap seems to have messed up here.
> AuthAuthoritative and AuthdbmAuthoritative and AuthDBAuthoritative
> all do what I described, but AuthLDAPAuthoritative is completely
> different.  It appears that you can't do what you want with
> mod_auth_ldap.

Just as a shot in the dock: There may be a way to get the
reverse of what you want (mod_auth and failing that, mod_auth_ldap)
by reversing the order that you load the two modules into
the server and using the AuthAuthoritative directive.
Clearly, I've never tried this, so I give no guarentees.

--
Joshua Slive

http://slive.ca/

 
 
 

Apache authentication with LDAP group and group file

Post by Dave Carriga » Thu, 16 Aug 2001 12:17:40




> > See the AuthLDAPAuthoritative directive.  It serves exactly this
> > purpose.  Most Apache Auth modules have similar directives.

> I do use AuthLDAPAuthoritative.  Setting it to 'yes' will authenticate
> against an LDAP group and setting it to 'no' will authenticate against
> the group file.  The user needs to be in the ldap group _or_ the group
> file, so I would like away to check both.

Try using auth_ldap at http://www.rudedog.org/auth_ldap/

Its AuthLDAPAuthoritative directive will do the right thing.

--

UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-DNS | -- I wonder if we'll ever reach
Seattle, WA, USA                            | their level of COMPARATIVE
http://www.rudedog.org/                     | SHOPPING...

 
 
 

Apache authentication with LDAP group and group file

Post by David Co » Thu, 16 Aug 2001 14:51:51



> Ooops.  The author of mod_auth_ldap seems to have messed up here.
> AuthAuthoritative and AuthdbmAuthoritative and AuthDBAuthoritative
> all do what I described, but AuthLDAPAuthoritative is completely
> different.  It appears that you can't do what you want with
> mod_auth_ldap.

Which ldap authentication module do you use?

And thanks for the assistance.

David

 
 
 

1. Apache and LDAP-group authentication

I've got Apache, mod_proxy, and mod_ldap compiled
and running successfully.  I can successfully authenticate
to the LDAP directory using the "require valid-user"
directive.

My question concerns how do I setup an LDAP filter to
handle group authentication?  I'd like to be able to check
to see if a user is in the list of 'uniquemember's on the
LDAP server before allowing them to use the proxy.
My LDAP group has the following structure:

Object Class     top groupOfUniqueNames
Name             TestIntacc
Notes            none
creatorsname     cn=Directory Manager
createtimestamp  19980916205723Z
uniquemember     c=US uid=JRTIETSORT, o=Micron Technology, c=US
modifiersname    cn=Directory Manager
modifytimestamp  19980916205921Z

I've tried filters like this in my Directory statement:

<Directory proxy:*>
order deny,allow
allow from all
AuthName DeepBlue-Proxy
AuthType Basic
#require valid-user
require filter '(&(objectClass=groupOfUniqueNames)(cn=TestIntacc))'
#require filter (&(&(objectclass=groupofuniquenames)(cn=TestIntacc))(uid=*))
LDAPServer  ldap://ldap1.micron.com:389/
LDAPAuth  on
LDAPBase  'o=Micron Technology,c=US'
LDAPuseridAttr  uid
</Directory>

I just can't seem to get it to work and the LDAP logs
are not very descriptive as to what the problem
might be.

Does anyone have experience with this configuration?
Am I missing something simple?

Thanks....

--
<SIG ========================================>
If you wish to reach my email, please send it to


</SIG =======================================>

2. Reading is much more interesting than TV (1192/1708)

3. cannot set up UMASK or groups so that users from one group cannot access other groups

4. ksh evaluating conditions

5. grouping a group to a group?

6. Authentication of jserv by htpasswd

7. Keeping groups, groups and groups straight

8. kdelibs 2.2.1 configure not recognizing QT version

9. GROUPS CONTAINING OTHER GROUPS (/etc/group)

10. /etc/group groups inside of groups?

11. user and group management - how to emulate groups into groups in linux ?

12. Apache PR 553 - group twice in /etc/group - alternatives?

13. change to new gid or new group name all files of given group name or gid