apache require ldap-group : authorization failed for all but first user

Poison Nuke · 08-25-2016, 06:23 AM

Hello,

I have problems with ldap and apache. I have an openLDAP backend (slapd) managed from phpldapadmin and a very simple groups/users setup.

dc=fritz,dc=box
cn=ldapreader
-ou=groups
-cn=sysops
ou=users
-cn=foo
-cn=bar

both users are member of sysops (gid and memberUid)

In my virtual host configuration of apache I have the following statements:

Code:

                AuthName "test"
                AuthType Basic
                AuthBasicProvider ldap

                #ldap user who can read database
                AuthLDAPBindDN "cn=ldapreader,dc=fritz,dc=box"
                AuthLDAPBindPassword "pass"
                AuthLDAPUrl "ldap://localhost/ou=users,dc=fritz,dc=box?uid"
                AuthLDAPGroupAttribute memberUid
                AuthLDAPGroupAttributeIsDN off

                Require ldap-group cn=sysops,ou=groups,dc=fritz,dc=box

I can login as foo
but I cannot login as bar
(and any subsequent created users)

If I change Require to "valid-users" I can login with both users. So it is releated to require ldap-group.

any suggestions?

mpapet · 09-06-2016, 11:38 AM

My first guess is there is only one user in your LDAP sysops group. My second guess is there is something wrong with user bar.

You need to see if you can replicate the problem using ldapsearch on the command line. Here are a couple of examples: https://access.redhat.com/documentat...psearches.html phpadmin is not a great way to manage an ldap server. (Cue angry replies... Yeah, not going back.)

I use jxplorer as a gui. http://jxplorer.org/

Poison Nuke · 09-06-2016, 11:47 AM

thanks. Almost forgot this thread.

Ive made an interesting obseveration so far: If i change Require to "valid-user", reload apache, log in successfull, restore old configuration and reload again and login again, then it works like expected even with newly created users in sysops.

Looks like the communication between slapd and apache stucks after the first configuration attempt of apache (my guess).

At this time, there a no more problems. I will have a look on this issue when I create a new virtual host with ldap.