Home Forums OS X Server and Client Discussion Web LDAP authorization

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • May 31, 2004 at 2:10 am #358132
    honestpuck
    Participant

    Hi all,

    I’m trying to get any of the LDAP authorization modules for Apache working on OS X Server 10.3.4 without any luck at all.

    Anyone succeeded in doing this? Would love to hear which one you used and any tips.

    Tony Williams

    June 2, 2004 at 5:14 am #358147
    honestpuck
    Participant

    [quote:90a80d55e6=”MacTroll”]You’re probably running into password problems.

    Is the module expecting to find the hashed password in the user record?

    Joel[/quote:90a80d55e6]

    Hard to tell. The code is fairly opaque. mod_auth_ldap has a debugging mode and appears to be writing nothing to the error log. I haven’t got logging working in auth_ldap either. It looks like both should write something to the log before getting as far as checking the password.

    Tony

    June 14, 2004 at 11:29 pm #358229
    honestpuck
    Participant

    After some fairly intensive log reading and trying five different modules I’ve finally got LDAP authorization working in Apache.

    The answer was to use an earlier Apache module, mod_LDAPauth from Piet Ruyssinck. This one did have some problems, though. It didn’t like Apple’s group model and didn’t allow uids longer than 8 characters.

    Ive spent some time modifying it so it now works great with longer names and Apple’s groups. You can get a copy from my blog at http://honestpuck.com/Computers/Macintosh/mod_LDAPauth

    Tony Williams

    September 12, 2004 at 11:57 am #359113
    Anonymous
    Guest

    Does Your module work with Apache2?
    I configured (standard distribution from apache.org) with
    ./configure –prefix=/opt/apache2 –with-ldap –enable-ldap –enable-auth-ldap

    and I want to authenticate with the osx server openldap.

    I got it working ok for “valid-user” or “require user” with:
    ***

    AuthType Basic
    AuthName “Internal” Order deny,allow
    Deny from all
    Allow from 192.168.1.0/255.255.255.0
    AuthLDAPURL ldap://127.0.0.1/cn=users,dc=domain,dc=com?uid
    Require valid-user
    Satisfy any     Require no-user
    ***

    But I cant get it to accept a group member… I tried:

    ***

    AuthType Basic
    AuthName “Office” Order deny,allow
    Deny from all
    AuthLDAPURL ldap://127.0.0.1/cn=users,dc=domain,dc=com?uid
    require group=office     Require no-user
    ***

    Why wont it work??
    It do find the user, but cant see the group membership.
    Maybe its a need of AuthLDAPGroupAttribute

    Anyone familiar with this?

    Joachim

    September 15, 2004 at 6:41 am #359158
    honestpuck
    Participant

    No, my module won’t work in Apache 2.0, though you could do the same hack to the Apache 2.0 module.

    The problem is the difference between the model of group membership used by Netscape’s LDAP server, which most modules are written for, and the one Apple use.

    I may eventually write an Apache 2.0 version of my hack, but I don’t know when.

    Tony

  • Author
    Posts
Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.

Comments are closed

Copyright © 2025 AFP548. All Rights Reserved.