httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Galen Johnson <solita...@gmail.com>
Subject Re: [users@httpd] Assistance with file + ldap auth config moving from httpd 2.2 to 2.4
Date Fri, 13 Oct 2017 21:28:15 GMT
Eduardo,

It looks like you're trying to get it working with Xymon so you might want
to ask on that list as well.  I had a heck of a time getting it to work but
I ended up using mod_authnz_external.c to configure it to use PAM.  This is
the config I use:

    <IfModule mod_authnz_external.c>
        # Require SSL connection for password protection.
        SSLRequireSSL

        AuthBasicProvider external file
        AuthExternal pwauth
        AuthGroupFile /etc/xymon/xymongroups
        GroupExternal unixgroup
        <RequireAll>
            # "valid-user" restricts access to anyone who is logged in.
            Require valid-user

            # "group xymon" restricts access to users who have logged in,
AND
            # are members of the "xymon" group in xymongroups.
            Require group xymon
        </RequireAll>
    </IfModule>

While not exactly what you're doing, I hope this helps nudge you in the
right direction.

=G=

On Fri, Oct 13, 2017 at 12:10 PM, Eric Covener <covener@gmail.com> wrote:

> Can you crank up the loglevel to trace8? I believe there are some
> spurious error messages when authz modules are reporting their
> individual results vs. getting rolled up to RequireAny.
>
> On Fri, Oct 13, 2017 at 11:46 AM, Eduardo Mayoral <emayoral@arsys.es>
> wrote:
> > Hi, Eric,
> >
> >     Thanks for your fast answer. The reason for the provider aliases is
> > that once I get this config working I would like to re-use it for about
> > 6 different directories.
> >
> >     However, I have tried to flatten the configuration according to your
> > suggestion. I repeated the tests, exact same result. Flattened config
> > follows:
> >
> >       AuthType Basic
> >       AuthName "Xymon user"
> >
> >       AuthBasicProvider file ldap
> >       AuthBasicAuthoritative off
> >
> >       AuthLDAPURL "ldap://REDACTED:3268
> > REDACTED:3268/DC=arsyslan,DC=es?sAMAccountName?sub?(objectClass=*)" NONE
> >       AuthLDAPBindDN "REDACTED@arsyslan.es"
> >       AuthLDAPBindPassword "REDACTED"
> >       AuthLDAPGroupAttributeIsDN on
> >       AuthLDAPGroupAttribute member
> >       AuthLDAPMaxSubGroupDepth 3
> >
> >       AuthUserFile /etc/xymon/xymonusers.htpasswd
> >       AuthGroupFile /etc/xymon/xymongroups.htpasswd
> >
> >
> >       <RequireAny>
> >         Require group XymonUsers
> >         Require ldap-group
> > cn=XymonAccess,OU=Aplicaciones,OU=Usuarios,DC=arsyslan,DC=es
> >       </RequireAny>
> >
> >
> > Eduardo Mayoral Jimeno (emayoral@arsys.es)
> > Administrador de sistemas. Departamento de Plataformas. Arsys internet.
> > +34 941 620 145 ext. 5153
> >
> > On 13/10/17 16:47, Eric Covener wrote:
> >> On Fri, Oct 13, 2017 at 10:06 AM, Eduardo Mayoral <emayoral@arsys.es>
> wrote:
> >>> Hi,
> >>>
> >>>     I am trying to move a web application from httpd 2.2 to httpd 2.4 ,
> >> I don't think all of those provider-aliases are necessary. Did you a
> >> try a more simpler/direct port of the config?
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >> For additional commands, e-mail: users-help@httpd.apache.org
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
>
>
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message