I have got authentication working on my Apache 2.4 webserver, if I require a specific user. However, I would like to require one or more specific groups. I have tried the example given in the documentation: Require ldap-group with no group name specified.
I get this result in my log files:
[Wed Jan 12 13:13:52.676003 2022] [authnz_ldap:debug] [pid 23541] mod_authnz_ldap.c(899): [client 10.14.0.18:36914] AH01713: auth_ldap authorize: require group: testing for group membership in "" [Wed Jan 12 13:13:52.841650 2022] [authnz_ldap:debug] [pid 23541] mod_authnz_ldap.c(926): [client 10.14.0.18:36914] AH01719: auth_ldap authorize: require group "": didn't match with attr Comparison complete [memberOf][53 - Server is unwilling to perform] [Wed Jan 12 13:13:52.841690 2022] [authnz_ldap:debug] [pid 23541] mod_authnz_ldap.c(943): [client 10.14.0.18:36914] AH01716: auth_ldap authorise: require group "": failed [Comparison complete][53 - Server is unwilling to perform], checking sub-groups [Wed Jan 12 13:13:52.842761 2022] [authnz_ldap:debug] [pid 23541] mod_authnz_ldap.c(966): [client 10.14.0.18:36914] AH01718: auth_ldap authorise: require group (sub-group) "": didn't match with attr DN failed group verification. [memberOf][53 - Server is unwilling to perform]
I have tried the following in the configuration: Require ldap-group cn=accounts Require ldap-group accounts with AuthLDAPGroupAttributeIsDN set to both "on" and "off". Neither work:
[Wed Jan 12 14:02:47.588735 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(907): [client 10.14.0.18:38342] AH01714: auth_ldap authorize: require group: testing for memberOf: uid=testuser,cn=users,cn=accounts,dc=ipa,dc=bluepearlsoftware,dc=com (cn=accounts) [Wed Jan 12 14:02:47.753521 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(926): [client 10.14.0.18:38342] AH01719: auth_ldap authorize: require group "cn=accounts": didn't match with attr Comparison complete [memberOf][32 - No such object] [Wed Jan 12 14:02:47.753562 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(943): [client 10.14.0.18:38342] AH01716: auth_ldap authorise: require group "cn=accounts": failed [Comparison complete][32 - No such object], checking sub-groups [Wed Jan 12 14:02:47.754391 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(966): [client 10.14.0.18:38342] AH01718: auth_ldap authorise: require group (sub-group) "cn=accounts": didn't match with attr DN failed group verification. [memberOf][32 - No such object] [Wed Jan 12 14:02:47.754422 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(899): [client 10.14.0.18:38342] AH01713: auth_ldap authorize: require group: testing for group membership in "accounts" [Wed Jan 12 14:02:47.754426 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(907): [client 10.14.0.18:38342] AH01714: auth_ldap authorize: require group: testing for memberOf: uid=testuser,cn=users,cn=accounts,dc=ipa,dc=bluepearlsoftware,dc=com (accounts) [Wed Jan 12 14:02:47.764320 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(926): [client 10.14.0.18:38342] AH01719: auth_ldap authorize: require group "accounts": didn't match with attr Comparison complete [memberOf][32 - No such object] [Wed Jan 12 14:02:47.764358 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(943): [client 10.14.0.18:38342] AH01716: auth_ldap authorise: require group "accounts": failed [Comparison complete][32 - No such object], checking sub-groups [Wed Jan 12 14:02:47.765169 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(966): [client 10.14.0.18:38342] AH01718: auth_ldap authorise: require group (sub-group) "accounts": didn't match with attr DN failed group verification. [memberOf][32 - No such object]
I would appreciate any help to get this working. I am running on a fully updated CentOS 7 VM.
Hi,
according to apache documentation in https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#reqgroup, the full group DN must be specified:
----- 8< ----- Require ldap-group This directive specifies an LDAP group whose members are allowed access. It takes the distinguished name of the LDAP group. Note: Do not surround the group name with quotes. For example, assume that the following entry existed in the LDAP directory:
dn: cn=Administrators, o=Example objectClass: groupOfUniqueNames uniqueMember: cn=Barbara Jenson, o=Example uniqueMember: cn=Fred User, o=Example
The following directive would grant access to both Fred and Barbara:
Require ldap-group cn=Administrators, o=Example
---- >8 -----
HTH, flo
On Wed, Jan 12, 2022 at 8:15 PM Simon Matthews via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I have got authentication working on my Apache 2.4 webserver, if I require a specific user. However, I would like to require one or more specific groups. I have tried the example given in the documentation: Require ldap-group with no group name specified.
I get this result in my log files:
[Wed Jan 12 13:13:52.676003 2022] [authnz_ldap:debug] [pid 23541] mod_authnz_ldap.c(899): [client 10.14.0.18:36914] AH01713: auth_ldap authorize: require group: testing for group membership in "" [Wed Jan 12 13:13:52.841650 2022] [authnz_ldap:debug] [pid 23541] mod_authnz_ldap.c(926): [client 10.14.0.18:36914] AH01719: auth_ldap authorize: require group "": didn't match with attr Comparison complete [memberOf][53 - Server is unwilling to perform] [Wed Jan 12 13:13:52.841690 2022] [authnz_ldap:debug] [pid 23541] mod_authnz_ldap.c(943): [client 10.14.0.18:36914] AH01716: auth_ldap authorise: require group "": failed [Comparison complete][53 - Server is unwilling to perform], checking sub-groups [Wed Jan 12 13:13:52.842761 2022] [authnz_ldap:debug] [pid 23541] mod_authnz_ldap.c(966): [client 10.14.0.18:36914] AH01718: auth_ldap authorise: require group (sub-group) "": didn't match with attr DN failed group verification. [memberOf][53 - Server is unwilling to perform]
I have tried the following in the configuration: Require ldap-group cn=accounts Require ldap-group accounts with AuthLDAPGroupAttributeIsDN set to both "on" and "off". Neither work:
[Wed Jan 12 14:02:47.588735 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(907): [client 10.14.0.18:38342] AH01714: auth_ldap authorize: require group: testing for memberOf: uid=testuser,cn=users,cn=accounts,dc=ipa,dc=bluepearlsoftware,dc=com (cn=accounts) [Wed Jan 12 14:02:47.753521 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(926): [client 10.14.0.18:38342] AH01719: auth_ldap authorize: require group "cn=accounts": didn't match with attr Comparison complete [memberOf][32 - No such object] [Wed Jan 12 14:02:47.753562 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(943): [client 10.14.0.18:38342] AH01716: auth_ldap authorise: require group "cn=accounts": failed [Comparison complete][32 - No such object], checking sub-groups [Wed Jan 12 14:02:47.754391 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(966): [client 10.14.0.18:38342] AH01718: auth_ldap authorise: require group (sub-group) "cn=accounts": didn't match with attr DN failed group verification. [memberOf][32 - No such object] [Wed Jan 12 14:02:47.754422 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(899): [client 10.14.0.18:38342] AH01713: auth_ldap authorize: require group: testing for group membership in "accounts" [Wed Jan 12 14:02:47.754426 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(907): [client 10.14.0.18:38342] AH01714: auth_ldap authorize: require group: testing for memberOf: uid=testuser,cn=users,cn=accounts,dc=ipa,dc=bluepearlsoftware,dc=com (accounts) [Wed Jan 12 14:02:47.764320 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(926): [client 10.14.0.18:38342] AH01719: auth_ldap authorize: require group "accounts": didn't match with attr Comparison complete [memberOf][32 - No such object] [Wed Jan 12 14:02:47.764358 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(943): [client 10.14.0.18:38342] AH01716: auth_ldap authorise: require group "accounts": failed [Comparison complete][32 - No such object], checking sub-groups [Wed Jan 12 14:02:47.765169 2022] [authnz_ldap:debug] [pid 7443] mod_authnz_ldap.c(966): [client 10.14.0.18:38342] AH01718: auth_ldap authorise: require group (sub-group) "accounts": didn't match with attr DN failed group verification. [memberOf][32 - No such object]
I would appreciate any help to get this working. I am running on a fully updated CentOS 7 VM.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Hi,
according to apache documentation in https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#reqgroup, the full group DN must be specified:
----- 8< ----- Require ldap-group This directive specifies an LDAP group whose members are allowed access. It takes the distinguished name of the LDAP group. Note: Do not surround the group name with quotes. For example, assume that the following entry existed in the LDAP directory:
dn: cn=Administrators, o=Example objectClass: groupOfUniqueNames uniqueMember: cn=Barbara Jenson, o=Example uniqueMember: cn=Fred User, o=Example
The following directive would grant access to both Fred and Barbara:
Require ldap-group cn=Administrators, o=Example
---- >8 -----
flo
On Wed, Jan 12, 2022 at 8:15 PM Simon Matthews via FreeIPA-users < freeipa-users(a)lists.fedorahosted.org> wrote:
Thank you for your help. I was able to get it working. Note that I had to set AuthLDAPGroupAttributeIsDN on while the FreeIPA documentation instructs you to turn this off. https://www.freeipa.org/page/Apache_Group_Based_Authorization
freeipa-users@lists.fedorahosted.org
-
Florence Blanc-Renaud -
Simon Matthews