0

I am attempting to use mod_auth_cas for AuthN and LDAP for AuthZ. mod_cas_auth is actually irrelevant, because I have the same issue with BasicAuth for AuthN. Everything works fine if I specify <location "/">, but as soon as I specify a sublocation <Location "/secure"> the authorisation fails and I get a 403.

e.g. this works and permits access to people in the specified LDAP group:

<Location "/">
  AuthType Basic
  AuthUserFile var/ht.passwd
  AuthName Secure
  AuthLDAPUrl         "ldaps://<snip>?sAMAccountName?sub?(objectClass=*)"
  AuthLDAPBindDN      "CN=<snip>
  AuthLDAPBindPassword <snip>
  Require ldap-group CN=<snip>
</Location>

But this doesn't - it just returns 403 to everyone

<Location "/secure">
  AuthType Basic
  AuthUserFile var/ht.passwd
  AuthName Secure
  AuthLDAPUrl         "ldaps://<snip>?sAMAccountName?sub?(objectClass=*)"
  AuthLDAPBindDN      "CN=<snip>
  AuthLDAPBindPassword <snip>
  Require ldap-group CN=<snip>
</Location>

In the logs for the 2nd situation I have:

auth_ldap authorise: User DN not found, ldap_search_ext_s() for user failed

This is on Apache 2.2. I'm thinking this must be a bug, but wondered if there was anything I could do to get this to work?

Mark
  • 165
  • 1
  • 5

1 Answers1

0

But why you still use "AuthUserFile"? this works for me:

            AuthType Basic
            AuthName "Some name"
            Require ldap-group <snip>
            SSLOptions +FakeBasicAuth
            AuthBasicProvider ldap
            AuthLDAPBindDN uid=<snip>
            AuthLDAPBindPassword <snip>
            AuthLDAPURL ldaps://<server>/<basedn>?uid?sub
            AuthLDAPRemoteUserAttribute uid
            AuthzLDAPAuthoritative on
            Options MultiViews

Error " User DN not found" tells you about auth problem. So, check your authbinddn and authbindpassword, for example with ldapsearch: ldapsearch -H ldap://server -x -D cn=

unlo
  • 454
  • 3
  • 8