'Re: [users@httpd] Assistance with file + ldap auth config moving from httpd 2.2 to 2.4'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-users
Subject:    Re: [users@httpd] Assistance with file + ldap auth config moving from httpd 2.2 to 2.4
From:       Eduardo Mayoral <emayoral () arsys ! es>
Date:       2017-10-16 8:16:23
Message-ID: 68c5796b-d72a-435a-a4e9-2ca0a6b2906c () arsys ! es
[Download RAW message or body]

Thanks to everybody for their support. With trace8 loglevel I saw the
problem was with the Active directory group membership. I reverted to
what I was using in apache 2.2 for that part:

Require ldap-filter memberOf:1.2.840.113556.1.4.1941:=cn=XymonAccess,OU=Aplicaciones,OU=Usuarios,DC=arsyslan,DC=es


Also, I removed AuthBasicAuthoritative off because it caused non-existent users to \
produce a 500 error instead of a 401.

Again, thank you very much for the help!

Eduardo Mayoral Jimeno (emayoral@arsys.es)
Administrador de sistemas. Departamento de Plataformas. Arsys internet.
+34 941 620 145 ext. 5153

On 13/10/17 18:10, Eric Covener wrote:
> Can you crank up the loglevel to trace8? I believe there are some
> spurious error messages when authz modules are reporting their
> individual results vs. getting rolled up to RequireAny.
> 
> On Fri, Oct 13, 2017 at 11:46 AM, Eduardo Mayoral <emayoral@arsys.es> wrote:
> > Hi, Eric,
> > 
> > Thanks for your fast answer. The reason for the provider aliases is
> > that once I get this config working I would like to re-use it for about
> > 6 different directories.
> > 
> > However, I have tried to flatten the configuration according to your
> > suggestion. I repeated the tests, exact same result. Flattened config
> > follows:
> > 
> > AuthType Basic
> > AuthName "Xymon user"
> > 
> > AuthBasicProvider file ldap
> > AuthBasicAuthoritative off
> > 
> > AuthLDAPURL "ldap://REDACTED:3268
> > REDACTED:3268/DC=arsyslan,DC=es?sAMAccountName?sub?(objectClass=*)" NONE
> > AuthLDAPBindDN "REDACTED@arsyslan.es"
> > AuthLDAPBindPassword "REDACTED"
> > AuthLDAPGroupAttributeIsDN on
> > AuthLDAPGroupAttribute member
> > AuthLDAPMaxSubGroupDepth 3
> > 
> > AuthUserFile /etc/xymon/xymonusers.htpasswd
> > AuthGroupFile /etc/xymon/xymongroups.htpasswd
> > 
> > 
> > <RequireAny>
> > Require group XymonUsers
> > Require ldap-group
> > cn=XymonAccess,OU=Aplicaciones,OU=Usuarios,DC=arsyslan,DC=es
> > </RequireAny>
> > 
> > 
> > Eduardo Mayoral Jimeno (emayoral@arsys.es)
> > Administrador de sistemas. Departamento de Plataformas. Arsys internet.
> > +34 941 620 145 ext. 5153
> > 
> > On 13/10/17 16:47, Eric Covener wrote:
> > > On Fri, Oct 13, 2017 at 10:06 AM, Eduardo Mayoral <emayoral@arsys.es> wrote:
> > > > Hi,
> > > > 
> > > > I am trying to move a web application from httpd 2.2 to httpd 2.4 ,
> > > I don't think all of those provider-aliases are necessary. Did you a
> > > try a more simpler/direct port of the config?
> > > 
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> > > 
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> > 
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic