Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

LDAP redundancy with Webauth and Apache 2.2

John DeStefano john.destefano at gmail.com
Wed Jun 1 13:38:18 PDT 2011


Hi Russ,

On Wed, Jun 1, 2011 at 4:09 PM, Russ Allbery
<eagle at windlord.stanford.edu> wrote:
> I did some more investigation of this, and the mod_authnz_ldap manual for
> Apache 2.2 still documents this behavior and says it should work.  See,
> for example:
>
>    http://www.gossamer-threads.com/lists/apache/docs/347845
>
> where someone else confirms that it works but clarifies that it should be
> enclosed in double quotes (which you seem to have done above).

Yes: using double-quotes used to work in an earlier version, but it no
longer parses for me in v2.2.

>>>> I then read the way to do this would be with a set of
>>>> AuthnProviderAlias alias definitions (<AuthnProviderAlias ldap
>>>> server-one>...) , and enabling these aliases within a desired location
>>>> or directory with the AuthBasicProvider directive.  The problem here
>>>> is this seems to work only when the authentication type is
>>>> "Basic".  Is there a way to get this working with Webauth and Apache
>>>> 2.2?
>
> Interesting.  That directive isn't even documented for mod_authnz_ldap.
> Is that the LDAP module that you're using?

Apache reports the following LDAP-related modules in use:
 ldap_module (shared)
 authnz_ldap_module (shared)

> I'm looking at:
>
>    http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html

Right: that section of the Apache docs was what gave me the idea to
try that syntax originally in 2.0.

>> We're using Webauth with Kerberos to do authentication, and LDAP for
>> authorization (with `Require ldap-user ...` or `Require ldap-group
>> ...`).  Specifying an `AuthLDAPURL` still works in this context, but
>> only with a single server, not multiple servers as mentioned above.
>
> The documentation seems to be written assuming that the mod_authnz_ldap
> module will be used for both authentication and authorization, whereas
> you're using it only for authorization, so it's a bit hard to follow for
> this case.  But so far as I can tell, it should do an anonymous bind (or
> use the configured password bind credentials) and work properly for this
> case when combined with another authentication module.
>
> The instances of that error that I'm seeing are for unquoted LDAP URLs
> with multiple servers, at least so far as I can untangle other people's
> experiences.

The fact that this remains in the documentation for 2.2, and there's
no mention of deprecation, makes me suspect a local configuration
problem, which is certainly possible.  I'll scan for that.  If there's
a way to integrate this into the service alias solution, which seems
like a cleaner way to configure, I'd be interested to know, but aside
from the service type of the auth provider, that doesn't seem to have
much to do with Webauth.

Thanks for your help.

~John



More information about the webauth-info mailing list