4

There is my config (httpd 2.4):

<AuthnProviderAlias ldap zzzldap>
   LDAPReferrals Off
   AuthLDAPURL "ldaps://ldap.zzz.com:636/o=zzz.com?uid?sub?(objectClass=*)"
   AuthLDAPBindDN "uid=zzz,ou=Applications,o=zzz.com"
   AuthLDAPBindPassword "zzz"
</AuthnProviderAlias>

<Location /svn>
   DAV svn
   SVNParentPath /DATA/svn
   AuthType Basic
   AuthName "Subversion repositories"
   SSLRequireSSL
   AuthBasicProvider zzzldap

   <RequireAll>
      Require valid-user
      Require ldap-attribute employeeNumber=12345
      Require ldap-group cn=yyy,ou=Groups,o=zzz.com
   </RequireAll>
</Location>

The Require valid-user is work. But ldap-attribite, ldap-filter, ldap-group does not work - denied in logs all time. I spent a lot of time but can't understand what's going on. This is the example of my logs:

[Tue Sep 25 16:42:26.772006 2012] [authz_core:debug] [pid 23087:tid 139684003014400] mod_authz_core.c(802): [client 1.1.1.1:52624] AH01626: authorization result of Require valid-user : granted
[Tue Sep 25 16:42:26.772014 2012] [authz_core:debug] [pid 23087:tid 139684003014400] mod_authz_core.c(802): [client 1.1.1.1:52624] AH01626: authorization result of Require ldap-attribute employeeNumber=12345: denied

I checked all info with ldapsearch: there is a valid username, employee ID and other...

user9517
  • 115,471
  • 20
  • 215
  • 297
Dee
  • 81
  • 6
  • Just to make sure: Is the parameter in your config files and log files `empoyeeNumber` named exactly the same in the LDAP record or is it spelled correctly there (`employeeNumber`)? – Sven Sep 25 '12 at 15:08
  • Sorry, it was a typo. However it's not work. Any ldap-* requirements... Even ldap-filter (objectClass=*) does not work. – Dee Sep 25 '12 at 15:12
  • Does the user you're binding as have enough permissions to query those attributes? – Shane Madden Sep 25 '12 at 15:40
  • Yes, I checked it with ldapsearch. – Dee Sep 25 '12 at 15:56

1 Answers1

1

Try this way:

<AuthnProviderAlias ldap zzzldap>
   LDAPReferrals Off
   AuthLDAPURL "ldaps://ldap.zzz.com:636/o=zzz.com?uid?sub?(objectClass=*)"
   AuthLDAPBindDN uid=zzz,ou=Applications,o=zzz.com
   AuthLDAPBindPassword zzz
</AuthnProviderAlias>

<AuthzProviderAlias ldap-group ldap-group-yyy cn=yyy,ou=Groups,o=zzz.com>
   AuthLDAPURL "ldaps://ldap.zzz.com:636/o=zzz.com"
   AuthLDAPBindDN uid=zzz,ou=Applications,o=zzz.com
   AuthLDAPBindPassword zzz
   Require ldap-group cn=yyy,ou=Groups,o=zzz.com
   #Require ldap-attribute employeeNumber=12345
</AuthzProviderAlias>

<Location /svn>
   DAV svn
   SVNParentPath /DATA/svn
   AuthType Basic
   AuthName "Subversion repositories"
   SSLRequireSSL
   AuthBasicProvider zzzldap

   <RequireAll>
      Require valid-user
      Require ldap-group-yyy
  </RequireAll>
</Location>

I'm not sure about the "Require ldap-attribute employeeNumber=12345" part but the group works for me now.

Suriem
  • 131
  • 3
  • The `Require` entries in your `AuthzProviderAlias` block appear to be redundant. The same things are stated in the ` header line. – user207421 Oct 21 '14 at 03:54