Apache + LDAP Auth: access to / failed, reason: require directives present and no Authoritative handler
Solution 1
Your 'Require' line reads
Require ldap-group cn=CHANGED, cn=CHANGED
That doesn't look write - I don't believe you can have have two cn's in a DN like that.
Solution 2
For me and apache 2.2.14, this works like a champ for access control on a per-group basis
AuthType Basic AuthName "Secret Area for IT Only" AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPGroupAttributeIsDN off AuthLDAPGroupAttribute memberUid AuthLDAPURL "ldap://ldap1.example.int ldap2.company.int/cn=int" Require ldap-group cn=it,ou=Groups,o=int
"int" is our internal domain for non-public servers.
Related videos on Youtube
Comments
-
Karolis T. almost 2 years
Can't solve this one, here's my .htaccess:
AuthPAM_Enabled Off AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthName "MESSAGE" Require ldap-group cn=CHANGED, cn=CHANGED AuthLDAPURL "ldap://localhost/dc=CHANGED,dc=CHANGED?uid?sub?(objectClass=posixAccount)" AuthLDAPBindDN CHANGED AuthLDAPBindPassword CHANGED AuthLDAPGroupAttribute memberUid
AuthLDAPURL is correct, BindDN and BindPassword are correct also (verified with ldapvi -D ..).
Apache version: Apache/2.2.9 (Debian)
The error message seems cryptic to me, I have AuthzLDAPAuthoritative on so where's the problem.
EDIT:
LDAP modules are loaded, the problem is not with them being missing.
# ls /etc/apache2/mods-enabled/*ldap* /etc/apache2/mods-enabled/authnz_ldap.load /etc/apache2/mods-enabled/ldap.load
EDIT2:
Solved it by changing funky
Require ldap-group cn=CHANGED, cn=CHANGED
line with
Require valid-user
Since AuthzLDAPAuthoritative is on, no other auth methods will be used and valid-user requirement will auth via LDAP. (right? :/)
-
crb about 15 yearsDo you have two "cn"s in your Require ldap-group, or is just your redacting?
-
Matt Simmons about 15 yearsFunny question, but you did do AllowOverride all in your <Directory "/"> definition, right?
-
crb about 15 yearsWas my comment enough that I should post it as an answer and you accept it? :)
-
Karolis T. about 15 yearsSure, go ahead :)
-
Jeffrey Hulten about 15 yearsWhat LDAP source are you using? I have found that the Windows AD LDAP implementation does not allow for a 'sub' level search on a DC, but does work on an OU.
-
-
Karolis T. about 15 yearsYes, I have them loaded. I've updated the question accordingly.
-
phirschybar about 15 years"No authoritative handler" implies that apache cannot use them for some reason.
-
Admin over 13 yearsOne note on Require ldap-group If you are connecting to the global catalog port, keep in mind that group memberships are NOT replicated to global catalogs UNLESS the group is a universal group. I.e. if you make a Global group AND try to authenticate using require ldap-group AND are connecting to port 3268 IT WILL NOT WORK. Convert it to a universal group and viola.