Hi,

I try to add LDAP auth to an alias. Apache does not start and shows me an
error in the line

AuthLDAPURL ldap://ldap1.ufz.de ldap2.ufz.de
ldap3.ufz.de/ou=People,dc=ufz,dc=de

The error says:

AuthLDAPURL takes 1-2 arguments, URL to define LDAP connection. This should
be an RFC 2255 complaint\nURL of the form
ldap://host[:port]/basedn[?attrib[?scope[?filter]]].\n<ul>\n
<li>Host is the
name of the LDAP server. Use a space separated list of hosts \nto specify
redundant servers.\n<li>Port is optional, and specifies the port to connect
to.\n<li>basedn specifies the base DN to start searches from\n<li>Attrib
specifies what attribute to search for in the directory. If not provided,
it defaults to <b>uid</b>.\n<li>Scope is the scope of the search, and can
be either <b>sub</b> or <b>one</b>. If not provided, the default is
<b>sub</b>.\n<li>Filter is a filter to use in the search. If not provided,
defaults to <b>(objectClass=*)</b>.\n</ul>\nSearches are performed using
the attribute and the filter combined. For example, assume that the\nLDAP
URL is <b>ldap://ldap.airius.com/ou=People,
o=Airius?uid?sub?(posixid=*)</b>. Searches will\nbe done using the filter
<b>(&((posixid=*))(uid=<i>username</i> ))</b>, where <i>username</i>\nis the
user name passed by the HTTP client. The search will be a subtree search on
the branch <b>ou=People, o=Airius</b>.

I do not understand where my line differs from the given instruction. Even
reading http://httpd.apache.org/docs/2.2/mo...uthnz_ldap.html does not
help me. Adding "?uid" does not help either.

When I add :389 after each host name, I get another error:
Invalid LDAP connection mode setting: must be one of NONE, SSL, or TLS/START
TLS
Where do I have to note the NONE? And why is there no example in the docs?
And why is this parameter required, when the docs say "An optional
parameter can be added to allow the LDAP Url to override the connection type
"?

Someone please bang my head and tell me the obvious error?

Regards,
Werner

[ Post a follow-up to this message ]

On 2007-01-26, Werner Flamme <werner.flamme@ufz.de> wrote:
> I try to add LDAP auth to an alias. Apache does not start and shows me an
> error in the line
>
> AuthLDAPURL ldap://ldap1.ufz.de ldap2.ufz.de
> ldap3.ufz.de/ou=People,dc=ufz,dc=de
>
> The error says:
>
> AuthLDAPURL takes 1-2 arguments, URL to define LDAP connection. This shoul
d
> be an RFC 2255 complaint\nURL of the form
> ldap://host[:port]/basedn[?attrib[?scope[?filter]]]

> I do not understand where my line differs from the given instruction.

It's quite clear: you have SPACES in the directives, each space
distinguish an argument, hence you have more than 1 or 2 arguments,
so your line isn't correct.

I'll try with something like

AuthLDAPURL ldap://ldap1.ufz.de/ou=People,dc=ufz,dc=de

Davide

--
SETI@home:
That would be on the "Let's look for intelligence out there, because there's
none here" principle?
-- Paul Tomblin

[ Post a follow-up to this message ]

Davide Bianchi schrieb am 26.01.2007 18:50:
> On 2007-01-26, Werner Flamme <werner.flamme@ufz.de> wrote: 
> 
>
> It's quite clear: you have SPACES in the directives, each space
> distinguish an argument, hence you have more than 1 or 2 arguments,
> so your line isn't correct.
>
> I'll try with something like
>
> AuthLDAPURL ldap://ldap1.ufz.de/ou=People,dc=ufz,dc=de
>
> Davide
>

Davide,

thanks, yes this works.

I need redundant LDAP servers because we had unpredictable LDAP server
crashes and hangups during the last weeks. When I look on
http://httpd.apache.org/docs/2.2/mo...thnz_ldap.html, I read in
"AuthLDAPUrl Directive" section:
---snip---
To specify multiple, redundant LDAP servers, just list all servers,
separated by spaces.
---pins---

Sure I have spaces in my configuration, but what other shall I do when I
want redundant LDAP servers? :-/

In the "Examples" section, I find
---snip---
The next example is the same as above; but with the fields that have useful
defaults omitted. Also, note the use of a redundant LDAP server.

AuthLDAPURL ldap://ldap1.airius.com ldap2.airius.com/ou=People, o=Airius
---pins---
what shows 2 spaces (one between the Servers) and is shown as a valid
example. When I extend ldap://ldap1.ufz.de/ou=People,dc=ufz,dc=de to
ldap://ldap1.ufz.de ldap2.ufz.de/ou=People,dc=ufz,dc=de, I get
---snip---
Syntax error on line 14 of /etc/apache2/local.conf/nagios.conf:
Invalid LDAP connection mode setting: must be one of NONE, SSL, or TLS/START
TLS
---pins---

whereas I read on mod_authnz_ldap.html:
---snip---
NONE
Establish an unsecure connection on the default LDAP port. This is the
same as ldap:// on port 389.
---pins---

When I add ":389" to both servers, I get the message telling me
"AuthLDAPURL takes 1-2 arguments..." (BTW, when I look at
ldap://ldap1.ufz.de ldap2.ufz.de/ou=People,dc=ufz,dc=de, I see one space
and so it should be not more that the 2 parameters allowed...)

Is "apache2ctl -t" wrong or the docs or the code? ;-)

Regards,
Werner

[ Post a follow-up to this message ]

On 2007-01-29, Werner Flamme <werner.flamme@ufz.de> wrote:
> I need redundant LDAP servers because we had unpredictable LDAP server
> crashes and hangups during the last weeks.

Well... this is not exactly a problem in Apache, I'd start by investigating
why your ldap server crashes and eventually add a watchdog procedure to
restart it.

> To specify multiple, redundant LDAP servers, just list all servers,
> separated by spaces.

I think something like

AuthLDAPURL ldap://ldap1.ufz.de/ou=People,dc=ufz,dc=de
ldap://ldap2.ufz.de/ou=People,dc=ufz,dc=de

(on one line, broke on two line here for readability)

> what shows 2 spaces (one between the Servers) and is shown as a valid

I think it's a typo, but you should mail the mantainer of the module and
ask them in this case.

Davide

--
Have faith in Darwin... By the looks of it, this guy couldn't reproduce hims
elf
if he had an installation wizard. --Andreas Skau

[ Post a follow-up to this message ]

Davide Bianchi schrieb am 29.01.2007 15:22:
> On 2007-01-29, Werner Flamme <werner.flamme@ufz.de> wrote: 
>
> Well... this is not exactly a problem in Apache, I'd start by investigatin
g
> why your ldap server crashes and eventually add a watchdog procedure to
> restart it.

:-) I am not responsible for LDAP. When the LDAP admin does not succeed in
running a LDAP cluster (heartbeat on SLES8), I only have to chew on the
consequences ;-) In the meantime the cluster moved to Solaris 10, what
seems to be the better base for the Sun LDAP server ;-)
 
>
> I think something like
>
> AuthLDAPURL ldap://ldap1.ufz.de/ou=People,dc=ufz,dc=de
> 	ldap://ldap2.ufz.de/ou=People,dc=ufz,dc=de
>
> (on one line, broke on two line here for readability)

I tried, even with :389 after ".de", and still get "Invalid LDAP connection
mode setting: must be one of NONE, SSL, or TLS/STARTTLS" As soon as I add a
NONE on the line, I get the long message "AuthLDAPURL takes 1-2
arguments,[...]" again. When I put double quotes around the 2 ldap://
entries, I simply read "Bad LDAP URL while parsing." Hey, that's a clear
statement! :-)
 
>
> I think it's a typo, but you should mail the mantainer of the module and
> ask them in this case.

The second space (in the base dn) may be a typo, but the first space fits
proper to "To specify multiple, redundant LDAP servers, just list all
servers, separated by spaces.". Who is the maintainer I have to contact?

>
> Davide
>

Werner

[ Post a follow-up to this message ]

On 2007-01-30, Werner Flamme <werner.flamme@ufz.de> wrote:
>:-) I am not responsible for LDAP. When the LDAP admin does not succeed in
> running a LDAP cluster (heartbeat on SLES8)

This is interesting... since we have a similar setup on RH and we too have
some trouble with LDAP going boinker every now and then... maybe there is
a connection...

> In the meantime the cluster moved to Solaris 10, what
> seems to be the better base for the Sun LDAP server ;-)

Maybe you should suggest to install a slave server on your own apache
server and just use that.

> Who is the maintainer I have to contact?

No idea, try sending a mail to Apache's mailing list and ask them.

Davide

--
Windows is the answer, but only if the question was 'what is the
intellectual equivalent of being a galley slave?'
--Larry Smith, in comp.os.linux.misc

[ Post a follow-up to this message ]