Debian and Apache2 nested group ldap support

---

• From: "Balazs Nagy" <nagy.balazs@xxxxxxxxx>
• Date: Tue, 2 Dec 2008 12:28:15 +0100

---

Hi there,

I would like to ask a question about an LDAP + Apache2 related
question. I've been dealing with this problem for the last couple of
days, so here is the story.

I have to integrate the SVN repositories of my company with the
ActiveDirectory (w2k3). My configuration is the following:

- Testing Debian, updated to the latest available binaries, running
kernel Linux version 2.6.18-6-amd64 (Debian 2.6.18.dfsg.1-18etch6).

- The apache packages installed:

ii apache2 2.2.9-10 Apache HTTP
Server metapackage
ii apache2-mpm-worker 2.2.9-10 Apache HTTP
Server - high speed threaded mod
ii apache2-utils 2.2.9-10 utility
programs for webservers
ii apache2.2-common 2.2.9-10 Apache HTTP
Server common files
ii libapache-authznetldap-perl 0.07-4 Apache-Perl
module that enables to authorize
ii libapache2-mod-perl2 2.0.4-4 Integration
of perl with the Apache2 web ser
ii libapache2-reload-perl 0.10-2 Reload Perl
modules when changed on disk
ii libapache2-svn 1.5.1dfsg1-1 Subversion
server modules for Apache

- The apache modules enabled:
lrwxrwxrwx 1 root root 28 2008-07-21 19:58 alias.conf ->
../mods-available/alias.conf
lrwxrwxrwx 1 root root 28 2008-07-21 19:58 alias.load ->
../mods-available/alias.load
lrwxrwxrwx 1 root root 33 2008-07-21 19:58 auth_basic.load ->
../mods-available/auth_basic.load
lrwxrwxrwx 1 root root 33 2008-07-21 19:58 authn_file.load ->
../mods-available/authn_file.load
lrwxrwxrwx 1 root root 34 2008-11-30 16:36 authnz_ldap.load ->
../mods-available/authnz_ldap.load
lrwxrwxrwx 1 root root 33 2008-11-30 16:58 authz_host.load ->
../mods-available/authz_host.load
lrwxrwxrwx 1 root root 32 2008-07-21 19:58 autoindex.conf ->
../mods-available/autoindex.conf
lrwxrwxrwx 1 root root 32 2008-07-21 19:58 autoindex.load ->
../mods-available/autoindex.load
lrwxrwxrwx 1 root root 27 2008-07-21 19:58 cgid.conf ->
../mods-available/cgid.conf
lrwxrwxrwx 1 root root 27 2008-07-21 19:58 cgid.load ->
../mods-available/cgid.load
lrwxrwxrwx 1 root root 26 2008-07-21 20:05 dav.load ->
../mods-available/dav.load
lrwxrwxrwx 1 root root 30 2008-07-21 20:05 dav_svn.conf ->
../mods-available/dav_svn.conf
lrwxrwxrwx 1 root root 30 2008-07-21 20:05 dav_svn.load ->
../mods-available/dav_svn.load
lrwxrwxrwx 1 root root 30 2008-07-21 19:58 deflate.conf ->
../mods-available/deflate.conf
lrwxrwxrwx 1 root root 30 2008-07-21 19:58 deflate.load ->
../mods-available/deflate.load
lrwxrwxrwx 1 root root 26 2008-07-21 19:58 dir.conf ->
../mods-available/dir.conf
lrwxrwxrwx 1 root root 26 2008-07-21 19:58 dir.load ->
../mods-available/dir.load
lrwxrwxrwx 1 root root 26 2008-07-21 19:58 env.load ->
../mods-available/env.load
lrwxrwxrwx 1 root root 27 2008-11-30 16:36 ldap.load ->
../mods-available/ldap.load
lrwxrwxrwx 1 root root 27 2008-07-21 19:58 mime.conf ->
../mods-available/mime.conf
lrwxrwxrwx 1 root root 27 2008-07-21 19:58 mime.load ->
../mods-available/mime.load
lrwxrwxrwx 1 root root 34 2008-07-21 19:58 negotiation.conf ->
../mods-available/negotiation.conf
lrwxrwxrwx 1 root root 34 2008-07-21 19:58 negotiation.load ->
../mods-available/negotiation.load
lrwxrwxrwx 1 root root 27 2008-11-30 16:32 perl.load ->
../mods-available/perl.load
lrwxrwxrwx 1 root root 31 2008-07-21 19:58 setenvif.conf ->
../mods-available/setenvif.conf
lrwxrwxrwx 1 root root 31 2008-07-21 19:58 setenvif.load ->
../mods-available/setenvif.load
lrwxrwxrwx 1 root root 26 2008-07-21 21:19 ssl.conf ->
../mods-available/ssl.conf
lrwxrwxrwx 1 root root 26 2008-07-21 21:19 ssl.load ->
../mods-available/ssl.load
lrwxrwxrwx 1 root root 29 2008-07-21 19:58 status.conf ->
../mods-available/status.conf
lrwxrwxrwx 1 root root 29 2008-07-21 19:58 status.load ->
../mods-available/status.load

- The subversion packages installed:
ii libapache2-svn 1.5.1dfsg1-1 Subversion
server modules for Apache
ii libsvn1 1.5.1dfsg1-1 Shared
libraries used by Subversion

- The related part of my virtual host configuration:
<Location />
AuthBasicProvider ldap
AuthName "L&M Subversion Server"
AuthType Basic
AuthzLDAPAuthoritative on

AuthLDAPURL
"ldap://192.168.1.100:389/OU=LMUsers,DC=lmsolutions,DC=hu?sAMAccountName?sub?(objectClass=*)"

AuthLDAPBindDN "CN=SVN LDAP Query
User,OU=ServAcc,OU=LMUsers,DC=lmsolutions,DC=hu"
AuthLDAPBindPassword <somepassword>

AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN on
# AuthLDAPSubGroupClass group
# AuthLDAPSubGroupAttribute member
# AuthLDAPMaxSubGroupDepth 10

require ldap-group CN=LMDevelopers,OU=LMGroups,DC=lmsolutions,DC=hu
</Location>

---------------------------------------------
The communication and authorization basically works, except one scenarion.

When the above listed group (LMDevelopers) contains only people and no
further groups everything works just perfect.

Unfortunately I do have nested (sub) groups in my AD group hierarchy,
and would need to have access on the commented AuthLDAPSubGroupClass,
AuthLDAPSubGroupAttribute and AuthLDAPMaxSubGroupDepth options, to
make authorization through these nested groups available.

If I try to use them I get the error message when starting apache:
"Syntax error on line 41 of /etc/apache2/sites-enabled/svn-https:
Invalid command 'AuthLDAPSubGroupClass', perhaps misspelled or defined
by a module not included in the server configuration failed!"

The main apache documentation states, that these options are available
since version 2.1.
(http://publib.boulder.ibm.com/httpserv/manual70/mod/mod_authnz_ldap.html)

Could you please help me out what I'm missing, or how I can fix this problem?

Thanks,
Balázs


--
To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx
with a subject of "unsubscribe". Trouble? Contact listmaster@xxxxxxxxxxxxxxxx

---

• Prev by Date: Re: Starting at boot Tomcat 6 on Debian
• Next by Date: Re: Desktop becomes unresponsive during large file access
• Previous by thread: Re: Starting at boot Tomcat 6 on Debian
• Next by thread: How can I write a shell script to update one octet in binary file (like I do manualy with hexedit program) ?
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Disabling sslv2 on linux for port 636. ... Rohit khaladkar wrote: ... Showing this has nothing at all to do with apache. ... Is this server an LDAP server, ... If none of the above is true, then you need to shut down the LDAP ... (RedHat) [opensuse] Unable to get Suse 10.1 + apache + ldap with TLS authentication to work ... openldap server. ... Both the apache and ldap servers are from the Suse 10.1 Pro distribution. ... Other services can authenticate against the ldap server with TLS, ... (SuSE) LDAP server to client communications ... I am using AD for authorization to access some apache directories via ... I see the AD DC/LDAP server (which holds all FSMO roles in ... Other than LDAP, there is no reason for the LDAP server to ... communicate with the server running apache. ... (microsoft.public.windows.server.active_directory) Sudden "Cant contact LDAP server" errors ... I'm running a Ubuntu Apache server which serves up only SVN and TRAC sites. ... All the SVN and TRAC repos use LDAP to authenticate, and the LDAP server is a Windows Active Directory server on the same network. ... When this happens, you *can* happily do an ldap-search from the terminal and get valid results, and other boxes which authenticate against the AD server all work fine during this time. ... (Ubuntu) Re: apache question ... # Based upon the NCSA server configuration files originally by Rob McCool. ... # configuration directives that give the server its instructions. ... Directives that control the operation of the Apache server process as ... (alt.php)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)