Apache ldap-group authentication

I am trying to get Apache to authenticate against a ldap group. But I am not getting it to work. Pasting in the config in the code window. No errors found in /var/log/apache2/error.log
LoadModule ldap_module /usr/lib/apache2/modules/mod_ldap.so
LoadModule authnz_ldap_module /usr/lib/apache2/modules/mod_authnz_ldap.so

<Directory "/path/to/dir">
        Options ExecCGI
        AllowOverride None
        Order allow,deny
        Allow from all

        AuthName "AdminTools Group Membership is needed"
        AuthType Basic
        AuthBasicProvider ldap
        AuthzLDAPAuthoritative on
        AuthLDAPGroupAttribute memberUid
        AuthLDAPGroupAttributeIsDN off
        AuthLDAPURL "ldap://,DC=company,DC=local?sAMAccountName?sub?(objectClass=*)"
        AuthLDAPBindDN "CN=Apache,OU=Users,OU=Company-Users,DC=company,DC=local"
        AuthLDAPBindPassword "secret"
        Require ldap-group CN=AdminTools,OU=Groups,OU=Company-Users,DC=company,DC=local
        #Require ldap-attribute gidNumber=1001
        #Satisfy any


Open in new window

Who is Participating?
jwillekeConnect With a Mentor Commented:
Are you sure your groups contain memberUid as an attribute?

if not, Try
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN on

r u able to connect u r LDAP ? i mean all the user and groups in the LDAP are inplace ?

If u r not able to see anything in the log increase the logging level.
itniflAuthor Commented:
I changed the loglevel to debug. Thought I had done that already. Results are below. The AD structure and the distinguished names all exist. Connection with the server was tested successfulluy on port 389 with telnet.

As far as I can see, I have set my config up exactly as in:

The only difference is that I commented out the following:
#Require ldap-attribute gidNumber=1001
#Satisfy any

If i uncomment Satisfy any, I get no full access to the web page, and no authorization prompt is made.
As you can see in the config, the AuthLDAPURL is one lever lower then the groups and the users, who are both in each their OU's. I have understood the config as if it will handle everything under the subtree under AuthLDAPURL. Is this correct? No errors there? I guess I do not have to have the groups and the users in the same OU and then point AuthLDAPURL to that OU?

[Sun Apr 11 12:54:32 2010] [debug] mod_deflate.c(615): [client] Zlib: Compressed 546 to 374 : URL /IntranettWeb/adm/admintools.html, referer: http://192.16
[Sun Apr 11 12:54:41 2010] [debug] mod_authnz_ldap.c(377): [client] [471] auth_ldap authenticate: using URL ldap://,DC=company,DC=local?sAMAccountName?sub?(objectClass=*), referer:
[Sun Apr 11 12:54:41 2010] [debug] mod_authnz_ldap.c(474): [client] [471] auth_ldap authenticate: accepting et5233x, referer:
[Sun Apr 11 12:54:41 2010] [debug] mod_authnz_ldap.c(715): [client] [471] auth_ldap authorise: require group: testing for group membership in "CN=AdminTool
s,OU=Groups,OU=Company-Users,DC=company,DC=local", referer:
[Sun Apr 11 12:54:41 2010] [debug] mod_authnz_ldap.c(721): [client] [471] auth_ldap authorise: require group: testing for memberUid: et5233x (CN=AdminTools
,OU=Groups,OU=Company-Users,DC=company,DC=local), referer:
[Sun Apr 11 12:54:41 2010] [debug] mod_authnz_ldap.c(737): [client] [471] auth_ldap authorise: require group "CN=AdminTools,OU=Groups,OU=Company-Users,DC=company,DC=local": authorisation failed [Comparison no such attribute (adding to cache)][No such attribute], referer:
[Sun Apr 11 12:54:41 2010] [debug] mod_authnz_ldap.c(852): [client] [471] auth_ldap authorise: authorisation denied, referer:

Open in new window

itniflAuthor Commented:
This seems to be the solution. Thanks!
All Courses

From novice to tech pro — start learning today.