[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Invalid dn errors for valid dns?
> Your problem has nothing to do with OpenLDAP software, but rather with
> auth_ldap (improper) usage. The "require group" directive refers to a
> LDAP group, which is supposed to be of objectClass "groupOfNames" and hold
Ok, that makes sense. I've got the log level cranked up to 4095; is there
a way to get OpenLDAP to be even more verbose, so that I could see that it
was failing because the query was looking of entries in the "groupOfNames"
object class?
> members in the attribute "member", which is DN-valued. Your group is of
> objectClass posixGroup, and has no "member" attributes; you're telling
> auth_ldap to use the "memberUID" attribute as "member", which, of course
> contains valid POSIX group names but no valid DN values. This explains
> the (perfectly correct) error you see. I suggest you check auth_ldap's
Ok, I misunderstood the meaning of "AuthLDAPGroupAttributeIsDN"; I thought
it told auth_ldap to look for just names in the group attribute, not DN
values.
http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html#authldapgroupattributeisdn
Thanks for the help. I suspect that I can fix it with this information.
By the way, is there a reason why group information isn't "standardized"?
I mean, I can understand wanting different namespaces for things, but
there appears to be at least three different dominant group mechanisms,
and they overlap in functionality.
Thanks again!
--- SER