[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Invalid dn errors for valid dns?



>> Your problem has nothing to do with OpenLDAP software, but rather with
>> auth_ldap (improper) usage.  The "require group" directive refers to a
>> LDAP group, which is supposed to be of objectClass "groupOfNames" and
>> hold
>
> Ok, that makes sense.  I've got the log level cranked up to 4095; is
> there a way to get OpenLDAP to be even more verbose, so that I could see
> that it was failing because the query was looking of entries in the
> "groupOfNames" object class?
>
>> members in the attribute "member", which is DN-valued.  Your group is
>> of objectClass posixGroup, and has no "member" attributes; you're
>> telling auth_ldap to use the "memberUID" attribute as "member", which,
>> of course contains valid POSIX group names but no valid DN values.
>> This explains the (perfectly correct) error you see.  I suggest you
>> check auth_ldap's
>
> Ok, I misunderstood the meaning of "AuthLDAPGroupAttributeIsDN"; I
> thought it told auth_ldap to look for just names in the group attribute,
> not DN values.
>
> http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html#authldapgroupattributeisdn


I'm not too familiar with auth_ldap (at least, not with this type of
options) but wrom what the docs tell your interpretation was correct. 
I've always used the DN form so I can't say what the real problem.  As you
note in a later message, the group DN must be unquoted, maybe this is
enough to fix your problem with the memberUid and
AuthLDAPGroupAttributeIsDN = off setup.  Did you try?

>
> Thanks for the help.  I suspect that I can fix it with this information.
>
> By the way, is there a reason why group information isn't
> "standardized"?  I mean, I can understand wanting different namespaces
> for things, but there appears to be at least three different dominant
> group mechanisms, and they overlap in functionality.

I guess this is not the appropriate forum to ask.  From the LDAP side,
what makes entriews unique is the DN so membership is by DN; moreover, the
namespace is given by the DN, any other field would require a search on
stored values.

The most verbose logging you can get is with -1.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it




    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497