Apache LDAP 身份验证:一直被拒绝

Apache LDAP 身份验证:一直被拒绝

这是我的配置(httpd 2.4):

<AuthnProviderAlias ldap zzzldap>
   LDAPReferrals Off
   AuthLDAPURL "ldaps://ldap.zzz.com:636/o=zzz.com?uid?sub?(objectClass=*)"
   AuthLDAPBindDN "uid=zzz,ou=Applications,o=zzz.com"
   AuthLDAPBindPassword "zzz"
</AuthnProviderAlias>

<Location /svn>
   DAV svn
   SVNParentPath /DATA/svn
   AuthType Basic
   AuthName "Subversion repositories"
   SSLRequireSSL
   AuthBasicProvider zzzldap

   <RequireAll>
      Require valid-user
      Require ldap-attribute employeeNumber=12345
      Require ldap-group cn=yyy,ou=Groups,o=zzz.com
   </RequireAll>
</Location>

可以Require valid-user工作。但是 ldap-attribute、ldap-filter、ldap-group 不起作用 -denied始终在日志中。我花了很多时间,但不明白发生了什么。这是我的日志的示例:

[Tue Sep 25 16:42:26.772006 2012] [authz_core:debug] [pid 23087:tid 139684003014400] mod_authz_core.c(802): [client 1.1.1.1:52624] AH01626: authorization result of Require valid-user : granted
[Tue Sep 25 16:42:26.772014 2012] [authz_core:debug] [pid 23087:tid 139684003014400] mod_authz_core.c(802): [client 1.1.1.1:52624] AH01626: authorization result of Require ldap-attribute employeeNumber=12345: denied

我使用 ldapsearch 检查了所有信息:有一个有效的用户名、员工 ID 和其他...

答案1

尝试一下这个方法:

<AuthnProviderAlias ldap zzzldap>
   LDAPReferrals Off
   AuthLDAPURL "ldaps://ldap.zzz.com:636/o=zzz.com?uid?sub?(objectClass=*)"
   AuthLDAPBindDN uid=zzz,ou=Applications,o=zzz.com
   AuthLDAPBindPassword zzz
</AuthnProviderAlias>

<AuthzProviderAlias ldap-group ldap-group-yyy cn=yyy,ou=Groups,o=zzz.com>
   AuthLDAPURL "ldaps://ldap.zzz.com:636/o=zzz.com"
   AuthLDAPBindDN uid=zzz,ou=Applications,o=zzz.com
   AuthLDAPBindPassword zzz
   Require ldap-group cn=yyy,ou=Groups,o=zzz.com
   #Require ldap-attribute employeeNumber=12345
</AuthzProviderAlias>

<Location /svn>
   DAV svn
   SVNParentPath /DATA/svn
   AuthType Basic
   AuthName "Subversion repositories"
   SSLRequireSSL
   AuthBasicProvider zzzldap

   <RequireAll>
      Require valid-user
      Require ldap-group-yyy
  </RequireAll>
</Location>

我不确定“需要 ldap-attribute employeeNumber=12345”部分,但该组现在对我有用。

相关内容