Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

LDAP redundancy with Webauth and Apache 2.2

Russ Allbery eagle at windlord.stanford.edu
Wed Jun 1 13:09:42 PDT 2011


John DeStefano <john.destefano at gmail.com> writes:
> Russ Allbery <eagle at windlord.stanford.edu> wrote:
>> John DeStefano <john.destefano at gmail.com> writes:

>>> In Apache v2.0, I was able to get by with defining multiple LDAP
>>> servers within a Webauth-authenticated directory or location with
>>> space-separated host entries in an AuthLDAPURL directive, such as:
>>> AuthLDAPURL "ldap://server1.com server2.com server3.com/dc=company,dc=com"

>>> This syntax was changed apparently in Apache 2.2, which threw a
>>> "connection mode setting" error for the same definition.

I did some more investigation of this, and the mod_authnz_ldap manual for
Apache 2.2 still documents this behavior and says it should work.  See,
for example:

    http://www.gossamer-threads.com/lists/apache/docs/347845

where someone else confirms that it works but clarifies that it should be
enclosed in double quotes (which you seem to have done above).

>>> I then read the way to do this would be with a set of
>>> AuthnProviderAlias alias definitions (<AuthnProviderAlias ldap
>>> server-one>...) , and enabling these aliases within a desired location
>>> or directory with the AuthBasicProvider directive.  The problem here
>>> is this seems to work only when the authentication type is
>>> "Basic".  Is there a way to get this working with Webauth and Apache
>>> 2.2?

Interesting.  That directive isn't even documented for mod_authnz_ldap.
Is that the LDAP module that you're using?

I'm looking at:

    http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html

> We're using Webauth with Kerberos to do authentication, and LDAP for
> authorization (with `Require ldap-user ...` or `Require ldap-group
> ...`).  Specifying an `AuthLDAPURL` still works in this context, but
> only with a single server, not multiple servers as mentioned above.

The documentation seems to be written assuming that the mod_authnz_ldap
module will be used for both authentication and authorization, whereas
you're using it only for authorization, so it's a bit hard to follow for
this case.  But so far as I can tell, it should do an anonymous bind (or
use the configured password bind credentials) and work properly for this
case when combined with another authentication module.

The instances of that error that I'm seeing are for unquoted LDAP URLs
with multiple servers, at least so far as I can untangle other people's
experiences.

-- 
Russ Allbery <eagle at windlord.stanford.edu>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University



More information about the webauth-info mailing list