[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [Fwd: Auth with group membership is failing.]

To: tsg <tsg@bugalux.com>
Subject: Re: [Fwd: Auth with group membership is failing.]
From: Brian Vandruff <brian@ink.org>
Date: Fri, 11 Apr 2003 10:56:19 -0500 (CDT)
Cc: "'OpenLdap'" <openldap-software@OpenLDAP.org>
In-reply-to: <200304110953.23013.tsg@bugalux.com>

On Fri, 11 Apr 2003, tsg wrote:

> þÅÔ×ÅÒÇ 10 áÐÒÅÌØ 2003 21:43, Brian Vandruff ÎÁÐÉÓÁÌ:
> > Just some additional information:
> >
> > The apache group auth ldap works against 2.0.x server. It does not work
> > against 2.1.x servers.
> Try to use "set" instead of group. For me it was a solution.
> 

Well...I still get error 401 Forbidden. 

valid-user works, and neither the 'group' nor the 'set' requires work.

<Directory /var/www/html/secure>
# Authentication Realm and Type
	AuthName "Staff Area"
	AuthType Basic
	AuthLDAPURL ldap://some.host.com/dc=host,dc=com
#	require valid-user
	require group cn=staff,ou=groups,dc=host,dc=com
#	require set cn=staff,ou=groups,dc=host,dc=com
</Directory>

But the debug output looks very different. I have attached a text file 
containing debug output from the three different types of authentication.

using "require set" I get the following debug output:

Apr 11 09:52:23 some.host slapd[16348]: connection_get(15)
Apr 11 09:52:23 some.host slapd[16350]: send_ldap_result: err=0 matched="" text=""
Apr 11 09:52:23 some.host slapd[16348]: connection_get(15)
Apr 11 09:52:23 some.host slapd[16350]: SRCH "dc=host,dc=org" 2 3
Apr 11 09:52:23 some.host slapd[16350]:     0 0 -1
Apr 11 09:52:23 some.host slapd[16350]:     filter: (&(objectClass=*)(uid=brian))
Apr 11 09:52:23 some.host slapd[16350]:     attrs:
Apr 11 09:52:23 some.host slapd[16350]:
Apr 11 09:52:23 some.host slapd[16348]: connection_get(15)
Apr 11 09:52:23 some.host slapd[16350]: ==> ldbm_back_bind: dn: uid=brian,ou=people,dc=host,dc=org
Apr 11 09:52:23 some.host slapd[16350]: send_ldap_result: err=0 matched="" text=""

using "require valid-user" I get the following debug out put and a
successfull authentication.

Apr 11 09:54:13 some.host slapd[16348]: connection_get(9)
Apr 11 09:54:13 some.host slapd[16350]: send_ldap_result: err=0 matched="" text=""
Apr 11 09:54:13 some.host slapd[16348]: connection_get(9)
Apr 11 09:54:13 some.host slapd[16350]: SRCH "dc=host,dc=org" 2 3
Apr 11 09:54:13 some.host slapd[16350]:     0 0 -1
Apr 11 09:54:13 some.host slapd[16350]:     filter: (&(objectClass=*)(uid=scottm))
Apr 11 09:54:13 some.host slapd[16350]:     attrs:
Apr 11 09:54:13 some.host slapd[16350]:
Apr 11 09:54:13 some.host slapd[16348]: connection_get(9)
Apr 11 09:54:13 some.host slapd[16350]: ==> ldbm_back_bind: dn: uid=scottm,ou=people,dc=host,dc=org
Apr 11 09:54:13 some.host slapd[16350]: send_ldap_result: err=0 matched="" text=""

using "require group" I get FORBIDDEN and the following debug output:


Apr 11 10:30:27 some.host slapd[16348]: connection_get(9)
Apr 11 10:30:27 some.host slapd[16350]: SRCH "dc=host,dc=org" 2 3
Apr 11 10:30:27 some.host slapd[16350]:     0 0 -1
Apr 11 10:30:27 some.host slapd[16350]:     filter: (&(objectClass=*)(uid=brian))
Apr 11 10:30:27 some.host slapd[16350]:     attrs:
Apr 11 10:30:27 some.host slapd[16350]:
Apr 11 10:30:27 some.host slapd[16348]: connection_get(9)
Apr 11 10:30:27 some.host slapd[16350]: ==> ldbm_back_bind: dn: uid=brian,ou=people,dc=host,dc=org
Apr 11 10:30:27 some.host slapd[16350]: send_ldap_result: err=0 matched="" text=""
Apr 11 10:30:27 some.host slapd[16348]: connection_get(9)
Apr 11 10:30:27 some.host slapd[16350]: send_ldap_result: err=0 matched="" text=""
Apr 11 10:30:27 some.host slapd[16348]: connection_get(9)
Apr 11 10:30:27 some.host slapd[16350]: do_compare: dn (cn=staff,ou=groups,dc=host,dc=org) attr (member) value (uid=brian,ou=people,dc=host,dc=org)
Apr 11 10:30:27 some.host slapd[16350]: send_ldap_result: err=16 matched="" text=""
Apr 11 10:30:27 some.host slapd[16348]: connection_get(9)
Apr 11 10:30:27 some.host slapd[16350]: do_compare: dn (cn=staff,ou=groups,dc=host,dc=org) attr (uniqueMember) value (uid=brian,ou=people,dc=host,dc=org)
Apr 11 10:30:27 some.host slapd[16350]: dnMatch -1       "uid=brian,ou=People,dc=host,dc=org"     "uid=brian,ou=people,dc=host,dc=org"
Apr 11 10:30:27 some.host slapd[16350]: dnMatch 1        "uid=bruce,ou=People,dc=host,dc=org"     "uid=brian,ou=people,dc=host,dc=org"
Apr 11 10:30:27 some.host slapd[16350]: dnMatch 1        "uid=dustin,ou=People,dc=host,dc=org"    "uid=brian,ou=people,dc=host,dc=org"
Apr 11 10:30:27 some.host slapd[16350]: dnMatch 1        "uid=dadams,ou=People,dc=host,dc=org"    "uid=brian,ou=people,dc=host,dc=org"
Apr 11 10:30:27 some.host slapd[16350]: dnMatch 2        "uid=michael,ou=People,dc=host,dc=org"   "uid=brian,ou=people,dc=host,dc=org"
Apr 11 10:30:27 some.host slapd[16350]: dnMatch -1       "uid=lisa,ou=People,dc=host,dc=org"      "uid=brian,ou=people,dc=host,dc=org"
Apr 11 10:30:27 some.host slapd[16350]: dnMatch 2        "uid=jeanine,ou=People,dc=host,dc=org"   "uid=brian,ou=people,dc=host,dc=org"
Apr 11 10:30:27 some.host slapd[16350]: dnMatch 1        "uid=robert,ou=People,dc=host,dc=org"    "uid=brian,ou=people,dc=host,dc=org"
Apr 11 10:30:27 some.host slapd[16350]: dnMatch 1        "uid=vicki,ou=People,dc=host,dc=org"     "uid=brian,ou=people,dc=host,dc=org"
Apr 11 10:30:27 some.host slapd[16350]: dnMatch 1        "uid=anitra,ou=People,dc=host,dc=org"    "uid=brian,ou=people,dc=host,dc=org"
Apr 11 10:30:27 some.host slapd[16350]: dnMatch 1        "uid=scottm,ou=People,dc=host,dc=org"    "uid=brian,ou=people,dc=host,dc=org"
Apr 11 10:30:27 some.host slapd[16350]: dnMatch 1        "uid=randy,ou=People,dc=host,dc=org"     "uid=brian,ou=people,dc=host,dc=org"
Apr 11 10:30:27 some.host slapd[16350]: dnMatch -1       "uid=kent,ou=People,dc=host,dc=org"      "uid=brian,ou=people,dc=host,dc=org"
Apr 11 10:30:27 some.host slapd[16350]: dnMatch 1        "uid=steve,ou=People,dc=host,dc=org"     "uid=brian,ou=people,dc=host,dc=org"
Apr 11 10:30:27 some.host slapd[16350]: dnMatch 1        "uid=mandi,ou=People,dc=host,dc=org"     "uid=brian,ou=people,dc=host,dc=org"
Apr 11 10:30:27 some.host slapd[16350]: dnMatch 1        "uid=leslie,ou=People,dc=host,dc=org"    "uid=brian,ou=people,dc=host,dc=org"
Apr 11 10:30:27 some.host slapd[16350]: dnMatch 2        "uid=jessica,ou=People,dc=host,dc=org"   "uid=brian,ou=people,dc=host,dc=org"
Apr 11 10:30:27 some.host slapd[16350]: dnMatch 1        "uid=leahr,ou=People,dc=host,dc=org"     "uid=brian,ou=people,dc=host,dc=org"
Apr 11 10:30:27 some.host slapd[16350]: dnMatch 1        "uid=brians,ou=People,dc=host,dc=org"    "uid=brian,ou=people,dc=host,dc=org"
Apr 11 10:30:27 some.host slapd[16350]: dnMatch 1        "uid=cathy,ou=People,dc=host,dc=org"     "uid=brian,ou=people,dc=host,dc=org"
Apr 11 10:30:27 some.host slapd[16350]: send_ldap_result: err=5 matched="" text=""

Prev by Date: Re: Quoting Spaces in DN, again
Next by Date: Re: how to determine need to upgrade
Index(es):
- Chronological
- Thread