LinkBack URL
About LinkBacks
Zimbra LDAP Group Membership Cannot Be recognized from Apache 2
Hello,
I have successfully set up the zimlet forthe zimbra LDAP administration (the "gregzimbra" Description in wiki), but without the Samba part. As the domain I took as example aaa.algites.eu. My Zimbra installation ismulti-server install with 1 LDAP, 1 MTA and 1 MBOX virtual server
I want to use the LDAP from zimbra also for the authentication of the Subversion Users, going through apache 2 http server.
I got working the authentification with zimbra LDAP, works well, but I have problem with the resolution of the required group. In Apache I have defined the Location like
but this required group is never resolved. I get in apache log for that site after there has been successfully validated the password then always following error messages:Code:<Location "/"> AuthType Basic AuthName "SVN Repository" AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPBindDN uid=zmposix,cn=appaccts,cn=zimbra AuthLDAPBindPassword zimbraposixaccount AuthLDAPURL "ldap://zildap:389/OU=people,DC=aaa,D C=algites,DC=eu?uid Require ldap-group CN=svn_access, OU=groups, DC=aaa, DC=algites, DC=eu </Location>
In the LDAP LOG turned on with everything logged what is possible I have:Code:[Thu Jan 06 13:11:45 2011] [debug] mod_authnz_ldap.c(745): [client A.B.C.D] [ 2421] auth_ldap authorise: require group: testing for member: uid=test2,ou=people,dc=aaa,dc=algites,dc=eu (CN=svn_access, OU=groups, DC=aaa, DC=algites, DC=eu) [Thu Jan 06 13:11:45 2011] [debug] mod_authnz_ldap.c(761): [client A.B.C.D] [ 2421] auth_ldap authorise: require group "CN=svn_access, OU=groups, DC=aaa, DC=algites, DC=eu": authorisation failed [Comparison no such attribute (adding to cache)][No such attribute] [Thu Jan 06 13:11:45 2011] [debug] mod_authnz_ldap.c(745): [client A.B.C.D] [ 2421] auth_ldap authorise: require group: testing for uniquemember: uid=test2,ou=people,dc=aaa,dc=algites,dc=eu (CN=svn_access, OU=groups, DC=aaa, DC=algites, DC=eu) [Thu Jan 06 13:11:45 2011] [debug] mod_authnz_ldap.c(761): [client A.B.C.D] [ 2421] auth_ldap authorise: require group "CN=svn_access, OU=groups, DC=aaa, DC=algites, DC=eu": authorisation failed [Comparison no such attribute (adding to cache)][No such attribute]
In the logs there are also the requests for "member" attribute but with the same unsucess... I habe also tried the attribute "memberOf" by redefinition of the group membership attribute name in the location byCode:Jan 6 13:11:45 zildap slapd[2532]: => acl_mask: access to entry"cn=svn_access,ou=groups,dc=aaa,dc=algites,dc=eu", attr "uniqueMember" requested Jan 6 13:11:45 zildap slapd[2532]: => acl_mask: to value by "uid=zmposix,cn=appaccts,cn=zimbra", (=0) Jan 6 13:11:45 zildap slapd[2532]: <= check a_dn_pat: cn=admins,cn=zimbra Jan 6 13:11:45 zildap slapd[2532]: <= check a_dn_pat: uid=zmposixroot,cn=appaccts,cn=zimbra Jan 6 13:11:45 zildap slapd[2532]: <= check a_dn_pat: uid=zmposix,cn=appaccts,cn=zimbra Jan 6 13:11:45 zildap slapd[2532]: <= acl_mask: [3] applying read(=rscxd) (stop) Jan 6 13:11:45 zildap slapd[2532]: <= acl_mask: [3] mask: read(=rscxd) Jan 6 13:11:45 zildap slapd[2532]: => slap_access_allowed: compare access granted by read(=rscxd) Jan 6 13:11:45 zildap slapd[2532]: => access_allowed: compare access granted by read(=rscxd) Jan 6 13:11:45 zildap slapd[2532]: send_ldap_result: conn=2334 op=5 p=3 Jan 6 13:11:45 zildap slapd[2532]: send_ldap_result: err=16 matched="" text="" Jan 6 13:11:45 zildap slapd[2532]: send_ldap_response: msgid=6 tag=111 err=16 Jan 6 13:11:45 zildap slapd[2532]: conn=2334 op=5 RESULT tag=111 err=16 text=
but then it returned some other error which is also returned in the case the attribute name is invalid.Code:AuthLDAPGroupAttribute memberOf
I also tried to putthere some non-existent group instead of "svn_acccess", then I get the correct (and different) error message the group object is not found...
The given user test2@aaa.algites.eu is defined in zimbra, posix Ids are created ok.
Possible causes could be following (I have tried everything possible but do not know what exactly):
1. I have specified in the given group SVN_access the membership i a wrong way - as memberUID Ihave tried to write there the posix number of the user or the username ("test2"). Is this correct? It does not work with number or username - what should be entered as memberUID into theposix group definition?
2. Are the group names case sensitive? I think it helped me also not to remove the capital letters fromthe group name, as well as the dots and underlines from the group name, but possibly I could forgot something somewere...
3. Should be someother group membership attribute on Apache used? But which?
I would really appreciate any help or pointers, it took me really a lot of time and the solution is still unknown...
Thanx in advance, Archie
