Apache + LDAP Auth: access to / failed, reason: require directives present and no Authoritative handler

debian apache-2.2 ldap

17,007

Solution 1

Your 'Require' line reads

Require ldap-group cn=CHANGED, cn=CHANGED

That doesn't look write - I don't believe you can have have two cn's in a DN like that.

Solution 2

For me and apache 2.2.14, this works like a champ for access control on a per-group basis

AuthType Basic
AuthName "Secret Area for IT Only"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
AuthLDAPURL "ldap://ldap1.example.int ldap2.company.int/cn=int"
Require ldap-group cn=it,ou=Groups,o=int

"int" is our internal domain for non-public servers.

17,007

Karolis T.

Live long and prosper.

Updated on September 17, 2022

Comments

Karolis T. almost 2 years
Can't solve this one, here's my .htaccess:
```
AuthPAM_Enabled Off

AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthName "MESSAGE"
Require ldap-group cn=CHANGED, cn=CHANGED

AuthLDAPURL "ldap://localhost/dc=CHANGED,dc=CHANGED?uid?sub?(objectClass=posixAccount)"
AuthLDAPBindDN CHANGED
AuthLDAPBindPassword CHANGED
AuthLDAPGroupAttribute memberUid
```
AuthLDAPURL is correct, BindDN and BindPassword are correct also (verified with ldapvi -D ..).

Apache version: Apache/2.2.9 (Debian)

The error message seems cryptic to me, I have AuthzLDAPAuthoritative on so where's the problem.

EDIT:

LDAP modules are loaded, the problem is not with them being missing.
```
# ls /etc/apache2/mods-enabled/*ldap*
/etc/apache2/mods-enabled/authnz_ldap.load  /etc/apache2/mods-enabled/ldap.load
```
EDIT2:

Solved it by changing funky
```
Require ldap-group cn=CHANGED, cn=CHANGED
```
line with
```
Require valid-user
```
Since AuthzLDAPAuthoritative is on, no other auth methods will be used and valid-user requirement will auth via LDAP. (right? :/)
- crb about 15 years
  
  Do you have two "cn"s in your Require ldap-group, or is just your redacting?
- Matt Simmons about 15 years
  
  Funny question, but you did do AllowOverride all in your <Directory "/"> definition, right?
- crb about 15 years
  
  Was my comment enough that I should post it as an answer and you accept it? :)
- Karolis T. about 15 years
  
  Sure, go ahead :)
- Jeffrey Hulten about 15 years
  
  What LDAP source are you using? I have found that the Windows AD LDAP implementation does not allow for a 'sub' level search on a DC, but does work on an OU.
Karolis T. about 15 years

Yes, I have them loaded. I've updated the question accordingly.
phirschybar about 15 years

"No authoritative handler" implies that apache cannot use them for some reason.
Admin over 13 years

One note on Require ldap-group If you are connecting to the global catalog port, keep in mind that group memberships are NOT replicated to global catalogs UNLESS the group is a universal group. I.e. if you make a Global group AND try to authenticate using require ldap-group AND are connecting to port 3268 IT WILL NOT WORK. Convert it to a universal group and viola.