Netware Webserver - mod_auth

Author

mod_auth_ldap weirdness

Jeff Johnson

2005-08-31, 5:50 pm

Hello,,,I am seeing some strangeness in how mod_auth_ldap works or appears
to work. Using this config:

<Directory "sys:/apache/htdocs/test/cgi-bin/">
Options Indexes FollowSymLinks MultiViews
AllowOverride AuthConfig
order allow,deny
allow from xxx.xx
AuthName "test1"
AuthType Basic
AuthLDAPURL ldap://test1.acme.edu:389/ou=people,dc=acme,dc=edu?cn?sub?
AuthLDAPBindDN cn=testuser,o=test
AuthLDAPBindPassword testpassword
require group cn=group,dc=acme,dc=edu
</Directory>

Now how I *thought* this should work was that the AUTHLDAPBINDDN would
perform the searches, compares, etc. It doesnt. It simply binds you first.
Then the id you login with on apache will perform the compare to see if you
are in the required group. This is totally backwards. Because now I have to
give all my users read rights to the member attribute. If this worked
properly I would just have to give the AUTHLDAPBINDDN account the read
rights to the member attribute. What gives???

Automatic reply

2005-09-06, 7:45 am

Jeff,

It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.

Has your problem been resolved? If not, you might try one of the following options:

- Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
- Check all of the other support tools and options available at
http://support.novell.com.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://support.novell.com/forums)

Be sure to read the forum FAQ about what to expect in the way of responses:
http://support.novell.com/forums/faq_general.html

If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.

Good luck!

Your Novell Product Support Forums Team
http://support.novell.com/forums/

Andy Thompson (SysOp)

2005-09-06, 5:50 pm

Jeff Johnson wrote:

> Hello,,,I am seeing some strangeness in how mod_auth_ldap works or appears
> to work. Using this config:
>
> <Directory "sys:/apache/htdocs/test/cgi-bin/">
> Options Indexes FollowSymLinks MultiViews
> AllowOverride AuthConfig
> order allow,deny
> allow from xxx.xx
> AuthName "test1"
> AuthType Basic
> AuthLDAPURL ldap://test1.acme.edu:389/ou=people,dc=acme,dc=edu?cn?sub?
> AuthLDAPBindDN cn=testuser,o=test
> AuthLDAPBindPassword testpassword
> require group cn=group,dc=acme,dc=edu
> </Directory>
>
>
> Now how I *thought* this should work was that the AUTHLDAPBINDDN would
> perform the searches, compares, etc. It doesnt. It simply binds you first.
> Then the id you login with on apache will perform the compare to see if you
> are in the required group. This is totally backwards. Because now I have to
> give all my users read rights to the member attribute. If this worked
> properly I would just have to give the AUTHLDAPBINDDN account the read
> rights to the member attribute. What gives???

That is working as designed AFAIK. The binddn is used in the event you
don't want to enable anonymous binds to the LDAP server. Every user
should be able to read it's group membership property though without any
additional rights being assigned.

--

-andy

Jeff Johnson

2005-09-06, 5:50 pm

It works differently between apache windows and apache netware. I accidently
was looking at the ldap trace from a windows machine. The netware apache
behaves as I suspected it should. Odd.

"Andy Thompson (SysOp)" <00aet@myrealbox.com> wrote in message
news:p8hTe.3086$Ej2.1102@prv-forum2.provo.novell.com...
> Jeff Johnson wrote:
>
>
> That is working as designed AFAIK. The binddn is used in the event you
> don't want to enable anonymous binds to the LDAP server. Every user
> should be able to read it's group membership property though without any
> additional rights being assigned.
>
> --
>
> -andy