|
Home > Archive > Netware Webserver > May 2005 > require edir-user doesn't work
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
require edir-user doesn't work
|
|
| Dan Van 2005-05-19, 5:45 pm |
| Has anyone ever gotten the "require edir-user" directive to work? I've
looked in the TIDs, newsgroups, and general Google search and have found
lots of reports of problems, but no solutions.
I'm trying to secure a directory using file system permissions. The
server is running NW 6.5 SP2, Apache 2.0.52, and mod_edir 1.0.8 (was
initially 1.0.7, but was upgraded in the troubleshooting process). I
have verified that mod_edir is loaded and is being loaded by this
particular instance of Apache. Utilldap and authldap are also loaded
their version is listed as 2.00.52.
The server Apache is running on is also the eDirectory server. User
home directories is configured and working fine. I have tried switching
between ldaps and ldap with no joy. It also doesn't matter whether
searching on UID or CN. I've also changing the AuthLDAPAuthoritative
directive and setting AuthLDAPDereferenceAliases to never.
When someone with the proper permissions tries to hit the secured
folder, they are prompted to login 3 times and then receive a 401 error.
The Apache error log show this repeated 3 times:
[Thu May 19 09:49:32 2005] [error] [client XX.XX.XX.XX] access to /ejc
failed, reason: user FRED not allowed access
[Thu May 19 09:49:32 2005] [error] [client XX.XX.XX.XX] access to /ejc
failed, reason: unknown require directive:"edir-user"
[Thu May 19 09:49:32 2005] [error] [client XX.XX.XX.XX] failed to set
the current working directory for cn=FRED.ou=users.o=law error: 9
The directory's configuration is as follows:
<Directory DATA:/Shared/LawClinic/EJCWeb>
Options MultiViews
AllowOverride None
Order deny,allow
Allow from all
AuthType Basic
AuthName "EJC Web"
Require edir-user
AuthLDAPAuthoritative Off
AuthLDAPURL ldaps://server.domain.edu/ou=users,o=law?uid?sub
</Directory>
<IfModule mod_edir.c>
eDirServer server.domain.edu
hDirUserSubDirectory public_html
RemoteDirEnabled off
HomeDirEnabled On
hDirSearchContexts ou=users,o=law
</IfModule>
<IfModule mod_auth_ldap.c>
AuthLDAPCharsetConfig conf/charset.conv
</IfModule>
Any help or suggestions would be greatly appreciated.
Thanks,
Dan Vander Ploeg
University of Illinois college of Law
| |
| Doug Deitterick 2005-05-19, 5:45 pm |
| It works just fine for us. We are running NetWare OES, Apache 2.0.52 and
mod_edir 1.0.8. Here's our config:
<Directory DATA:/web/download>
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName "Penn College"
AuthLDAPURL ldaps://<ldap-server>/ou=USERS,o=ORG
require edir-user
</Directory>
<IfModule mod_edir.c>
eDirServer <ldap-server>
HomeDirEnabled on
hDirSearchAttr cn
hDirUserTag ~
hDirSearchContexts ou=USERS.o=ORG ou=USERS2.o=ORG
hDirUserSubDirectory public_html
RemoteDirEnabled off
</IfModule>
<IfModule mod_auth_ldap.c>
#
#This directive specifies the file that contains all of the character set
information
#that auth_ldap needs to do the charset conversions
#
AuthLDAPCharsetConfig conf/charset.conv
</IfModule>
--
Doug Deitterick
CNA
Systems Administrator
Pennsylvania college of Technology
One college Avenue
Williamsport, PA 17701
ddeitter@pct.edu
"Dan Van" <danvan@SPAMMEBABYmyrealbox.com> wrote in message
news:p52je.27$252.14@prv-forum2.provo.novell.com...
> Has anyone ever gotten the "require edir-user" directive to work? I've
> looked in the TIDs, newsgroups, and general Google search and have found
> lots of reports of problems, but no solutions.
>
> I'm trying to secure a directory using file system permissions. The
> server is running NW 6.5 SP2, Apache 2.0.52, and mod_edir 1.0.8 (was
> initially 1.0.7, but was upgraded in the troubleshooting process). I have
> verified that mod_edir is loaded and is being loaded by this particular
> instance of Apache. Utilldap and authldap are also loaded their version
> is listed as 2.00.52.
>
> The server Apache is running on is also the eDirectory server. User home
> directories is configured and working fine. I have tried switching
> between ldaps and ldap with no joy. It also doesn't matter whether
> searching on UID or CN. I've also changing the AuthLDAPAuthoritative
> directive and setting AuthLDAPDereferenceAliases to never.
>
> When someone with the proper permissions tries to hit the secured folder,
> they are prompted to login 3 times and then receive a 401 error. The
> Apache error log show this repeated 3 times:
>
> [Thu May 19 09:49:32 2005] [error] [client XX.XX.XX.XX] access to /ejc
> failed, reason: user FRED not allowed access
> [Thu May 19 09:49:32 2005] [error] [client XX.XX.XX.XX] access to /ejc
> failed, reason: unknown require directive:"edir-user"
> [Thu May 19 09:49:32 2005] [error] [client XX.XX.XX.XX] failed to set the
> current working directory for cn=FRED.ou=users.o=law error: 9
>
> The directory's configuration is as follows:
>
> <Directory DATA:/Shared/LawClinic/EJCWeb>
> Options MultiViews
> AllowOverride None
> Order deny,allow
> Allow from all
> AuthType Basic
> AuthName "EJC Web"
> Require edir-user
> AuthLDAPAuthoritative Off
> AuthLDAPURL ldaps://server.domain.edu/ou=users,o=law?uid?sub
> </Directory>
>
> <IfModule mod_edir.c>
> eDirServer server.domain.edu
> hDirUserSubDirectory public_html
> RemoteDirEnabled off
> HomeDirEnabled On
> hDirSearchContexts ou=users,o=law
> </IfModule>
>
> <IfModule mod_auth_ldap.c>
> AuthLDAPCharsetConfig conf/charset.conv
> </IfModule>
>
> Any help or suggestions would be greatly appreciated.
>
> Thanks,
>
> Dan Vander Ploeg
> university of Illinois college of Law
| |
|
| G'Morning,
Two issues that, if not immediately in effect, will be by the time you
get this working is that 'require edir-user' logs in to NetWare and will
consume a user licence, and authentication to LDAP requires 'concurrent
connections' to be at least two if the user is already logged in to the
network.
Recommend you get an LDAP Browser (the one by Joe Cook on the novell
free tools site is the only one I've used/needed) and verify visibility
of the LDAP object properties, and then adjust access rights as needed
(using an LDAP Proxy as mentioned below).
If the LDAP server is on the same machine as Apache then AuthLDAPURL can
use ldap:// but you will need to set the flag on the LDAP Group object
that allows Clear Text Passwords.
Norm.
Dan Van wrote:
> Has anyone ever gotten the "require edir-user" directive to work? I've
> looked in the TIDs, newsgroups, and general Google search and have found
> lots of reports of problems, but no solutions.
>
> I'm trying to secure a directory using file system permissions. The
> server is running NW 6.5 SP2, Apache 2.0.52, and mod_edir 1.0.8 (was
> initially 1.0.7, but was upgraded in the troubleshooting process). I
> have verified that mod_edir is loaded and is being loaded by this
> particular instance of Apache. Utilldap and authldap are also loaded
> their version is listed as 2.00.52.
>
> The server Apache is running on is also the eDirectory server. User
> home directories is configured and working fine. I have tried switching
> between ldaps and ldap with no joy. It also doesn't matter whether
> searching on UID or CN. I've also changing the AuthLDAPAuthoritative
> directive and setting AuthLDAPDereferenceAliases to never.
>
> When someone with the proper permissions tries to hit the secured
> folder, they are prompted to login 3 times and then receive a 401 error.
> The Apache error log show this repeated 3 times:
>
> [Thu May 19 09:49:32 2005] [error] [client XX.XX.XX.XX] access to /ejc
> failed, reason: user FRED not allowed access
> [Thu May 19 09:49:32 2005] [error] [client XX.XX.XX.XX] access to /ejc
> failed, reason: unknown require directive:"edir-user"
> [Thu May 19 09:49:32 2005] [error] [client XX.XX.XX.XX] failed to set
> the current working directory for cn=FRED.ou=users.o=law error: 9
>
> The directory's configuration is as follows:
>
> <Directory DATA:/Shared/LawClinic/EJCWeb>
> Options MultiViews
> AllowOverride None
> Order deny,allow
> Allow from all
> AuthType Basic
> AuthName "EJC Web"
> Require edir-user
> AuthLDAPAuthoritative Off
> AuthLDAPURL ldaps://server.domain.edu/ou=users,o=law?uid?sub
> </Directory>
>
> <IfModule mod_edir.c>
> eDirServer server.domain.edu
> hDirUserSubDirectory public_html
> RemoteDirEnabled off
> HomeDirEnabled On
> hDirSearchContexts ou=users,o=law
> </IfModule>
>
> <IfModule mod_auth_ldap.c>
> AuthLDAPCharsetConfig conf/charset.conv
> </IfModule>
>
> Any help or suggestions would be greatly appreciated.
>
> Thanks,
>
> Dan Vander Ploeg
> university of Illinois college of Law
|
|
|
|
|