[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Invalid dn errors for valid dns?
>> Your problem has nothing to do with OpenLDAP software, but rather with
>> auth_ldap (improper) usage. The "require group" directive refers to a
>> LDAP group, which is supposed to be of objectClass "groupOfNames" and
>> hold
>
> Ok, that makes sense. I've got the log level cranked up to 4095; is
> there a way to get OpenLDAP to be even more verbose, so that I could see
> that it was failing because the query was looking of entries in the
> "groupOfNames" object class?
>
>> members in the attribute "member", which is DN-valued. Your group is
>> of objectClass posixGroup, and has no "member" attributes; you're
>> telling auth_ldap to use the "memberUID" attribute as "member", which,
>> of course contains valid POSIX group names but no valid DN values.
>> This explains the (perfectly correct) error you see. I suggest you
>> check auth_ldap's
>
> Ok, I misunderstood the meaning of "AuthLDAPGroupAttributeIsDN"; I
> thought it told auth_ldap to look for just names in the group attribute,
> not DN values.
>
> http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html#authldapgroupattributeisdn
I'm not too familiar with auth_ldap (at least, not with this type of
options) but wrom what the docs tell your interpretation was correct.
I've always used the DN form so I can't say what the real problem. As you
note in a later message, the group DN must be unquoted, maybe this is
enough to fix your problem with the memberUid and
AuthLDAPGroupAttributeIsDN = off setup. Did you try?
>
> Thanks for the help. I suspect that I can fix it with this information.
>
> By the way, is there a reason why group information isn't
> "standardized"? I mean, I can understand wanting different namespaces
> for things, but there appears to be at least three different dominant
> group mechanisms, and they overlap in functionality.
I guess this is not the appropriate forum to ask. From the LDAP side,
what makes entriews unique is the DN so membership is by DN; moreover, the
namespace is given by the DN, any other field would require a search on
stored values.
The most verbose logging you can get is with -1.
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497