[Auth_ldap] Group authentication
Dave Carrigan
dave at rudedog.org
Mon Dec 4 07:52:47 PST 2000
"Richard Ellerbrock" <richarde at eskom.co.za> writes:
> Authentication works fine for all users, except the one shown by an
> arrow. Notice that the dn lies in a different context/container. From
> what I can figure out, version 1.4.x only authenticates on the cn part
> of the complete dn and will thus look for FisherB in the
> ou=ITD,ou=MPK,ou=GT,o=ESKOM container/context. This is not the behaviour
> that I am looking for. I want to authenticate on the full
> cn=FisherB,ou=ITS,ou=NGY,ou=KN,o=DSNET. From what I can read this will
> only be possible in 1.5.x. Here is an extract from the 1.5.x
> changelog:
Actually, the 1.4 behavior is to authenticate on complete DN's. The 1.5
addition was to support people who didn't want to authenticate on
complete DN's. So, you should be fine with 1.4.
The remaining question is why the authentication is failing for you. The
way auth_ldap implements group checks is to fetch the DN of the
authenticated user and do a ldap_compare operation of (groupdn, member
attribute, user dn). If the ldap_compare fails, this would be the
problem. You should bump up the logging level of Apache (use the
LogLevel debug directive) and send me the log of the failed
authentication attempt. That will give a better idea of what is going
wrong.
--
Dave Carrigan (dave at rudedog.org) | Yow! I forgot my PAIL!!
UNIX-Apache-Perl-Linux-Firewalls-LDAP-C-DNS |
Seattle, WA, USA |
http://www.rudedog.org/ |
More information about the Auth_ldap
mailing list