group authorization via LDAP

I'm trying to convert from DBM file based authentication and
authorization to LDAP based authentication and authorization in Apache
2.2.11.

We've already got a large number of .htaccess files with specific
configs for individual directories that are using "require user" and
"require group". Is it possible to configure the apache server to allow
those .htaccess to continue work as expected or must we change them to
"require ldap-user" and "require ldap-group"? =20

I'm digging through the mod_authnz_ldap docs but the config to specify
the base for group authorization (in my case: "ou=3DGroupStuff,ou=3DOur
Groups,dc=3DCompany,dc=3DCom") just isn't jumping out at me.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: group authorization via LDAP

On Thu, 2009-10-01 at 17:18 -0400, Tony Rice (trice) wrote:
> I'm trying to convert from DBM file based authentication and
> authorization to LDAP based authentication and authorization in Apache
> 2.2.11.
>
> We've already got a large number of .htaccess files with specific
> configs for individual directories that are using "require user" and
> "require group". Is it possible to configure the apache server to allow
> those .htaccess to continue work as expected or must we change them to
> "require ldap-user" and "require ldap-group"?
>
> I'm digging through the mod_authnz_ldap docs but the config to specify
> the base for group authorization (in my case: "ou=GroupStuff,ou=Our
> Groups,dc=Company,dc=Com") just isn't jumping out at me.
>

This is how we do it:

AuthType Basic
AuthName "Company"
AuthBasicProvider "ldap"
AuthLDAPURL "ldap://ldap/o=Company?mail?sub?(accountActive=TRUE)"
AuthLDAPBindDN "cn=authuser,ou=System Accounts,o=Company"
AuthLDAPBindPassword "authpass"
AuthzLDAPAuthoritative "On"
Require valid-user
Require ldap-group cn=Department,ou=Groups,o=Company


Cheers

Tom



------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: group authorization via LDAP

Hi,

Tom Evans schrieb:
> On Thu, 2009-10-01 at 17:18 -0400, Tony Rice (trice) wrote:

> This is how we do it:
> [...]
> AuthzLDAPAuthoritative "On"
> Require valid-user
> Require ldap-group cn=Department,ou=Groups,o=Company
Does this work?
When I read the docs:
"Require valid-user
If this directive exists, mod_authnz_ldap grants access to any user that
has successfully authenticated during the search/bind phase."
and:
"Other Require values may also be used which may require loading
additional authorization modules. Note that if you use a Require value
from another authorization module, you will need to ensure that
AuthzLDAPAuthoritative is set to off to allow the authorization phase
to fall back to the module providing the alternate Require value."
-> http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html

This seems to me like either "Require valid-user" is not working at all
- because AuthzLDAPAuthoritative is "On" - or it overrules any
ldap-group setting. Hm!?


Marc

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: group authorization via LDAP

Is our only choice changing all the .htaccess files with "require group
" to "require ldap-group cn=3D,ou=3Dsome long =
ldap
string" in order to make the switch group authorization via LDAP groups?

-Tony


> -----Original Message-----
> From: Tom Evans [mailto:tevans.uk@googlemail.com]
> Sent: Friday, October 02, 2009 4:36 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] group authorization via LDAP
>=20
> On Thu, 2009-10-01 at 17:18 -0400, Tony Rice (trice) wrote:
> > I'm trying to convert from DBM file based authentication and
> > authorization to LDAP based authentication and authorization in
> Apache
> > 2.2.11.
> >
> > We've already got a large number of .htaccess files with specific
> > configs for individual directories that are using "require user" and
> > "require group". Is it possible to configure the apache server to
> allow
> > those .htaccess to continue work as expected or must we change them
> to
> > "require ldap-user" and "require ldap-group"?
> >
> > I'm digging through the mod_authnz_ldap docs but the config to
> specify
> > the base for group authorization (in my case: =
"ou=3DGroupStuff,ou=3DOur
> > Groups,dc=3DCompany,dc=3DCom") just isn't jumping out at me.
> >
>=20
> This is how we do it:
>=20
> AuthType Basic
> AuthName "Company"
> AuthBasicProvider "ldap"
> AuthLDAPURL "ldap://ldap/o=3DCompany?mail?sub?(accountActive=3DTRUE)"
> AuthLDAPBindDN "cn=3Dauthuser,ou=3DSystem Accounts,o=3DCompany"
> AuthLDAPBindPassword "authpass"
> AuthzLDAPAuthoritative "On"
> Require valid-user
> Require ldap-group cn=3DDepartment,ou=3DGroups,o=3DCompany
>=20
>=20
> Cheers
>=20
> Tom
>=20
>=20
>=20
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: group authorization via LDAP

On Fri, Oct 2, 2009 at 10:36 AM, Tony Rice (trice) wrote:
> Is our only choice changing all the .htaccess files with "require group
> " to "require ldap-group cn=,ou=some long ldap
> string" in order to make the switch group authorization via LDAP groups?

Yes.

--
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: group authorization via LDAP

On Fri, Oct 2, 2009 at 8:38 AM, Marc Patermann
wrote:
> Hi,
>
> Tom Evans schrieb:
>>
>> On Thu, 2009-10-01 at 17:18 -0400, Tony Rice (trice) wrote:
>
>> This is how we do it:
>> [...]
>> AuthzLDAPAuthoritative "On"
>> Require valid-user
>> Require ldap-group cn=3DDepartment,ou=3DGroups,o=3DCompany
>
> Does this work?
> When I read the docs:
> "Require valid-user
> If this directive exists, mod_authnz_ldap grants access to any user that =
has
> successfully authenticated during the search/bind phase."
> and:
> "Other Require values may also be used which may require loading addition=
al
> authorization modules. Note that if you use a Require =A0value from anoth=
er
> authorization module, you will need to ensure that AuthzLDAPAuthoritative
> =A0is set to off to allow the authorization phase to fall back to the mod=
ule
> providing the alternate Require value."
> -> http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html
>

> This seems to me like either "Require valid-user" is not working at all -
> because AuthzLDAPAuthoritative is "On" - or it overrules any ldap-group
> setting. Hm!?

The doc is poor in this regard. mod_authnz_ldap does not handle
"valid-user", it allows another module to handle it [if the request
gets that far]. This is why the AuthzLDAPAuthoritiative does not
apply to the "Require valid-user", and this quoted config boils down
to the same as if you'd removed the first two quoted directives
[IIUC].


--=20
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: group authorization via LDAP

I'm able to do LDAP based group authorization when specify the group
info as a filter in the LDAP URL but I'd like to configure a more
generic LDAP string in the apache config and allow users to control
access by group membership using .htaccess files. I'm able to
authenticate based on userid/password but can seem to get the config
quite right to authorize based on group membership. =20

These memberships are in the memberOf attribute on User records In the
LDAP tree, users are in OU=3DCompany Users, groups are in =
OU=3DGroupStuff
and OU=3DStandard under OU=3DCompany Groups.

The log files complain that an attribute can't be found for the group
value specified. Any ideas?


My ldap config looks like this:
AuthName "Active Directory"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPBindDN "CN=3Dmybinduser,OU=3DGenerics,OU=3DCompany
Users,DC=3Ddev,DC=3Dcompany,DC=3Dcom"
AuthLDAPBindPassword secret
AuthLDAPRemoteUserAttribute cn

AuthLDAPUrl "ldap://dev.company.com:389/OU=3DCompany
Users,DC=3Ddev,DC=3Dcompany,DC=3Dcom?cn?sub?"
AuthzLDAPAuthoritative on
AuthLDAPGroupAttribute memberOf

..htaccess file looks like this:
require valid-user
require ldap-group CN=3Dmygroup,OU=3DGroupStuff,OU=3DCompany
Groups,DC=3Ddev,DC=3Dcompany,DC=3Dcom


Logs look like this:
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(875): [6756]
auth_ldap url parse: `ldap://dev.company.com:389/OU=3DCompany
Users,DC=3Ddev,DC=3Dcompany,DC=3Dcom?cn?sub?'
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(884): [6756]
auth_ldap url parse: Host: dev.company.com:389
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(886): [6756]
auth_ldap url parse: Port: 389
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(888): [6756]
auth_ldap url parse: DN: OU=3D Company =
Users,DC=3Ddev,DC=3Dcompany,DC=3Dcom
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(890): [6756]
auth_ldap url parse: attrib: cn
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(892): [6756]
auth_ldap url parse: scope: subtree
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(897): [6756]
auth_ldap url parse: filter: (null)
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(977): LDAP:
auth_ldap not using SSL connections
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(377): [client
64.102.41.173] [6756] auth_ldap authenticate: using URL
ldap://dev.company.com:389/OU=3D Company
Users,DC=3Ddev,DC=3Dcompany,DC=3Dcom?cn?sub?
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(474): [client
64.102.41.173] [6756] auth_ldap authenticate: accepting trice
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(715): [client
64.102.41.173] [6756] auth_ldap authorise: require group: testing for
group membership in "CN=3Dmygroup,OU=3DGroupStuff,OU=3DCompany
Groups,DC=3Ddev,DC=3Dcompany,DC=3Dcom"
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(721): [client
64.102.41.173] [6756] auth_ldap authorise: require group: testing for
memberOf: CN=3Dtrice,OU=3DEmployees,OU=3DCompany
Users,DC=3Ddev,DC=3Dcompany,DC=3Dcom =
(CN=3Dmygroup,OU=3DGroupStuff,OU=3DCompany
Groups,DC=3Ddev,DC=3Dcompany,DC=3Dcom)
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(737): [client
64.102.41.173] [6756] auth_ldap authorise: require group
"CN=3Dmygroup,OU=3DGroupStuff,OU=3DCompany =
Groups,DC=3Ddev,DC=3Dcompany,DC=3Dcom":
authorisation failed [Comparison no such attribute (adding to cache)][No
such attribute]
[Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(852): [client
64.102.41.173] [6756] auth_ldap authorise: authorisation denied

My LDAP entry (using the URL above) looks like this:
dn:CN=3Dtrice,OU=3DEmployees,OU=3DCompany =
Users,DC=3Ddev,DC=3Dcompany,DC=3Dcom

objectClass: top
person
organizationalPerson
user
cn: trice

memberOf: CN=3Dmygroup,OU=3DGroupStuff,OU=3DCompany
Groups,DC=3Ddev,DC=3Dcompany,DC=3Dcom
CN=3Dadmins,OU=3DStandard,OU=3DCompany
Groups,DC=3Ddev,DC=3D company,DC=3Dcom
department: 8675309
company: Company, Inc.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: group authorization via LDAP

One other wrinkle to add to this. I can get "require ldap-group" to
work, but only if all the Auth config lines are in the .htaccess file.
If it's in the httpd.conf file and only require lines are in the
..htaccess file require ldap-group produces the errors below (though
"require valid-user" and "require ldap-filter" work fine either way).

-Tony


> -----Original Message-----
> From: Tony Rice (trice)
> Sent: Friday, October 02, 2009 1:52 PM
> To: users@httpd.apache.org
> Subject: RE: [users@httpd] group authorization via LDAP
>=20
> I'm able to do LDAP based group authorization when specify the group
> info as a filter in the LDAP URL but I'd like to configure a more
> generic LDAP string in the apache config and allow users to control
> access by group membership using .htaccess files. I'm able to
> authenticate based on userid/password but can seem to get the config
> quite right to authorize based on group membership.
>=20
> These memberships are in the memberOf attribute on User records In
the
> LDAP tree, users are in OU=3DCompany Users, groups are in =
OU=3DGroupStuff
> and OU=3DStandard under OU=3DCompany Groups.
>=20
> The log files complain that an attribute can't be found for the group
> value specified. Any ideas?
>=20
>=20
> My ldap config looks like this:
> AuthName "Active Directory"
> AuthType Basic
> AuthBasicProvider ldap
> AuthLDAPBindDN "CN=3Dmybinduser,OU=3DGenerics,OU=3DCompany
> Users,DC=3Ddev,DC=3Dcompany,DC=3Dcom"
> AuthLDAPBindPassword secret
> AuthLDAPRemoteUserAttribute cn
>=20
> AuthLDAPUrl "ldap://dev.company.com:389/OU=3DCompany
> Users,DC=3Ddev,DC=3Dcompany,DC=3Dcom?cn?sub?"
> AuthzLDAPAuthoritative on
> AuthLDAPGroupAttribute memberOf
>=20
> .htaccess file looks like this:
> require valid-user
> require ldap-group CN=3Dmygroup,OU=3DGroupStuff,OU=3DCompany
> Groups,DC=3Ddev,DC=3Dcompany,DC=3Dcom
>=20
>=20
> Logs look like this:
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(875): [6756]
> auth_ldap url parse: `ldap://dev.company.com:389/OU=3DCompany
> Users,DC=3Ddev,DC=3Dcompany,DC=3Dcom?cn?sub?'
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(884): [6756]
> auth_ldap url parse: Host: dev.company.com:389
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(886): [6756]
> auth_ldap url parse: Port: 389
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(888): [6756]
> auth_ldap url parse: DN: OU=3D Company =
Users,DC=3Ddev,DC=3Dcompany,DC=3Dcom
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(890): [6756]
> auth_ldap url parse: attrib: cn
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(892): [6756]
> auth_ldap url parse: scope: subtree
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(897): [6756]
> auth_ldap url parse: filter: (null)
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(977): LDAP:
> auth_ldap not using SSL connections
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(377): [client
> 64.102.41.173] [6756] auth_ldap authenticate: using URL
> ldap://dev.company.com:389/OU=3D Company
> Users,DC=3Ddev,DC=3Dcompany,DC=3Dcom?cn?sub?
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(474): [client
> 64.102.41.173] [6756] auth_ldap authenticate: accepting trice
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(715): [client
> 64.102.41.173] [6756] auth_ldap authorise: require group: testing for
> group membership in "CN=3Dmygroup,OU=3DGroupStuff,OU=3DCompany
> Groups,DC=3Ddev,DC=3Dcompany,DC=3Dcom"
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(721): [client
> 64.102.41.173] [6756] auth_ldap authorise: require group: testing for
> memberOf: CN=3Dtrice,OU=3DEmployees,OU=3DCompany
> Users,DC=3Ddev,DC=3Dcompany,DC=3Dcom =
(CN=3Dmygroup,OU=3DGroupStuff,OU=3DCompany
> Groups,DC=3Ddev,DC=3Dcompany,DC=3Dcom)
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(737): [client
> 64.102.41.173] [6756] auth_ldap authorise: require group
> "CN=3Dmygroup,OU=3DGroupStuff,OU=3DCompany =
Groups,DC=3Ddev,DC=3Dcompany,DC=3Dcom":
> authorisation failed [Comparison no such attribute (adding to
> cache)][No
> such attribute]
> [Fri Oct 02 10:09:47 2009] [debug] mod_authnz_ldap.c(852): [client
> 64.102.41.173] [6756] auth_ldap authorise: authorisation denied
>=20
> My LDAP entry (using the URL above) looks like this:
> dn:CN=3Dtrice,OU=3DEmployees,OU=3DCompany =
Users,DC=3Ddev,DC=3Dcompany,DC=3Dcom
>=20
> objectClass: top
> person
> organizationalPerson
> user
> cn: trice
>
> memberOf: CN=3Dmygroup,OU=3DGroupStuff,OU=3DCompany
> Groups,DC=3Ddev,DC=3Dcompany,DC=3Dcom
> CN=3Dadmins,OU=3DStandard,OU=3DCompany
> Groups,DC=3Ddev,DC=3D company,DC=3Dcom
> department: 8675309
> company: Company, Inc.
>=20
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: group authorization via LDAP

> AuthLDAPGroupAttribute memberOf
>
> require ldap-group CN=3Dmygroup,OU=3DGroupStuff,OU=3DCompany
> Groups,DC=3Ddev,DC=3Dcompany,DC=3Dcom
>
> My LDAP entry (using the URL above) looks like this:
> dn:CN=3Dtrice,OU=3DEmployees,OU=3DCompany Users,DC=3Ddev,DC=3Dcompany,DC=
=3Dcom
>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 objectClass: top
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0person
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0organizationalPers=
on
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0user
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0cn: trice
>
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0memberOf: CN=3Dmygroup,OU=3DGroupStuff=
,OU=3DCompany
> Groups,DC=3Ddev,DC=3Dcompany,DC=3Dcom
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0CN=3Dadmins,OU=3DS=
tandard,OU=3DCompany
> Groups,DC=3Ddev,DC=3D company,DC=3Dcom
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0department: 8675309
> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 company: Company, Inc.


Your config looks for entries like this in ldap:

cn: =3Dmygroup,OU=3DGrou....
memberOf: trice
memberOf: bob
...

Your LDAP setup should use require ldap-filter to find a memberOf
under the _user_ that signifies membership in a group, or find how the
groups entry lists users (not memberOf, but something like member or
uniqueMember). ldap-filter starts at the user and looks for stuff,
ldap-group starts at the group and looks for an entry listing your
user.

--=20
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: group authorization via LDAP

Thanks makes sense and works well using require ldap-filter

-Tony


> -----Original Message-----
> From: Eric Covener [mailto:covener@gmail.com]
> Sent: Friday, October 02, 2009 3:38 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] group authorization via LDAP
>=20
> > AuthLDAPGroupAttribute memberOf
> >
> > require ldap-group CN=3Dmygroup,OU=3DGroupStuff,OU=3DCompany
> > Groups,DC=3Ddev,DC=3Dcompany,DC=3Dcom
> >
> > My LDAP entry (using the URL above) looks like this:
> > dn:CN=3Dtrice,OU=3DEmployees,OU=3DCompany =
Users,DC=3Ddev,DC=3Dcompany,DC=3Dcom
> >
> > =A0 =A0 =A0 =A0 =A0 =A0 =A0 objectClass: top
> > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0person
> > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0organizationalPerson
> > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0user
> > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0cn: trice
> > snip>
> > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0memberOf: =
CN=3Dmygroup,OU=3DGroupStuff,OU=3DCompany
> > Groups,DC=3Ddev,DC=3Dcompany,DC=3Dcom
> > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0CN=3Dadmins,OU=3DStandard,OU=3DCompany
> > Groups,DC=3Ddev,DC=3D company,DC=3Dcom
> > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0department: 8675309
> > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 company: Company, Inc.
>=20
>=20
> Your config looks for entries like this in ldap:
>=20
> cn: =3Dmygroup,OU=3DGrou....
> memberOf: trice
> memberOf: bob
> ...
>=20
> Your LDAP setup should use require ldap-filter to find a memberOf
> under the _user_ that signifies membership in a group, or find how the
> groups entry lists users (not memberOf, but something like member or
> uniqueMember). ldap-filter starts at the user and looks for stuff,
> ldap-group starts at the group and looks for an entry listing your
> user.
>=20
> --
> Eric Covener
> covener@gmail.com
>=20
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org