Making Apache 2.2 valid-user work with mod_authnz_ldap

Daniel E. Markle's Blog

Projects

Information

Photography

Syndicate This Blog

Thursday, January 3. 2008

Making Apache 2.2 valid-user work with mod_authnz_ldap

Apache 2.2's mod_authnz_ldap has significant differences from Apache 2.0's mod_auth_ldap. Moving to 2.2, some significant changes are needed which can be confusing and cause seemingly nonsensical authorization loops if directives are missed.

Necessary modules

  • auth_basic
  • authz_user
  • ldap
  • authnz_ldap

Directives


AuthType basic
AuthBasicProvider ldap
AuthName "My Site"
AuthLDAPURL ldap://ldap1.example.com/ou=People,o=Example
AuthzLDAPAuthoritative Off
Require valid-user

AuthBasicProvider ldap is needed instead of AuthLDAPEnabled on, which no longer exists as a valid directive.

AuthzLDAPAuthoritative Off is needed to allow the authorization to fall though to Require valid-user, otherwise you will get auth _ldap authorise: authorisation denied in your debug messages after it successfully authenticates the user but fails to find an authorization directive to allow access. These messages will not show up in your logs by default, so it can be confusing if you watch the ldap server, see authentication succeed, and wonder why it keeps requesting a username and password.
Posted by Daniel E. Markle in System Administration at 12:46 | Comments (2) | Trackbacks (0) Tweet This!

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

You saved what's left of my evening (I'm in France).
I was, indeed, scratching my head trying to find why while LDAP authentication succeeded, Apache was still returning 401 errors.

Thank you for that tip !
#1 Guillaume Grussenmeyer on 2009-01-08 16:19 (Reply)
"AuthzLDAPAuthoritative Off is needed to allow the authorization to fall though to Require valid-user"

Thank you very much - this was not at all obvious from the documentation. Clearly, if no ldap- require is in use, this should be the default option.
#2 John Baker (Homepage) on 2011-01-06 09:42 (Reply)

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA
 
 

Quicksearch

Lexiyntax @ Twitter

  • Problem, accessing twitter at the moment.
    Please reload later..

Categories

Archives