[SOLVED] [users@httpd] LDAP query translation from 2.2 to 2.4

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[SOLVED] [users@httpd] LDAP query translation from 2.2 to 2.4

Darryl Philip Baker
With a lot of searching I found the correct syntax is:
                AuthLDAPUrl     "ldaps://evregistryprda.cyber.example.com.cyber.example.com:1636 chregistryprda.cyber.example.com.cyber.example.com:1636 evregistryprdb.cyber.example.com.cyber.example.com:1636 chregistryprdb.cyber.example.com.cyber.example.com:1636/dc=example,dc=com?uid?sub?(objectclass=*)"

Darryl Baker, GSEC  (he/him/his)
Sr. System Administrator
Distributed Application Platform Services
Northwestern University
1800 Sherman Ave.
Suite 6-600 – Box #39
Evanston, IL  60201-3715
[hidden email]
(847) 467-6674
 

On 8/26/20, 2:24 PM, "Darryl Philip Baker" <[hidden email]> wrote:

    I have been experimenting and I can get the AuthLDAPURL line to work if I have only one host:port listed. 2 or more fails. Has anyone gotten multiple host:port entries in the AuthLDAPURL argument list?

    The documentation says:
    host:port
    The name/port of the ldap server (defaults to localhost:389 for ldap, and localhost:636 for ldaps). To specify multiple, redundant LDAP servers, just list all servers, separated by spaces. mod_authnz_ldap will try connecting to each server in turn, until it makes a successful connection. If multiple ldap servers are specified, then entire LDAP URL must be encapsulated in double quotes.

    Darryl Baker, GSEC  (he/him/his)
    Sr. System Administrator
    Distributed Application Platform Services
    Northwestern University
    1800 Sherman Ave.
    Suite 6-600 – Box #39
    Evanston, IL  60201-3715
    [hidden email]
    (847) 467-6674


    On 8/26/20, 10:39 AM, "Darryl Philip Baker" <[hidden email]> wrote:

        All I get is:
        AH00526: Syntax error on line 131 of /opt/rh/httpd24/root/etc/httpd/conf.d/ldapdir.conf:
        Bad LDAP URL while parsing.

        Darryl Baker, GSEC  (he/him/his)
        Sr. System Administrator
        Distributed Application Platform Services
        Northwestern University
        1800 Sherman Ave.
        Suite 6-600 – Box #39
        Evanston, IL  60201-3715
        [hidden email]
        (847) 467-6674


        On 8/26/20, 10:36 AM, "Eric Covener" <[hidden email]> wrote:

            On Wed, Aug 26, 2020 at 11:34 AM Darryl Philip Baker
            <[hidden email]> wrote:
            >
            > I am trying to port a configuration from Apache 2.2 to Apache 2.4 that is used for LDAP authentication, but I have little knowledge of LDAP. I can translate “Order deny,allow” and “Deny from All” I have found that “AuthzLDAPAuthoritative off” has been removed from Apache 2.4. I am getting a syntax error on the AuthLDAPUrl line. From one of the examples I found, do I need to change from a Directory block to a Location block?
            >
            >
            >
            > Here is what the stanza is in Apache 2.2
            >
            >
            >
            > <Directory "/usr/local/www/docs/it/snaps">
            >
            >          Options -Indexes +FollowSymLinks +ExecCGI +Includes
            >
            >          Order deny,allow
            >
            >          Deny from All
            >
            >          AuthName "Enter Your Netid and Password"
            >
            >          AuthType basic
            >
            >          AuthBasicProvider ldap
            >
            >          AuthzLDAPAuthoritative off
            >
            >          AuthLDAPBindDN "cn=sanitycheck, ou=Service, dc=example, dc=com"
            >
            >          AuthLDAPBindPassword "tmd+pkx"
            >
            >          AuthLDAPUrl     "ldaps://evregistryprda.cyber.example.com.cyber.example.com:1636 ldaps://chregistryprda.cyber.example.com.cyber.example.com:1636 ldaps://evregistryprdb.cyber.example.com.cyber.example.com:1636 ldaps://chregistryprdb.cyber.example.com.cyber.example.com:1636/dc=example,dc=com?uid?sub?(objectclass=*)"
            >
            >          Require valid-user
            >
            >          Satisfy any
            >
            >    </Directory>
            >
            >

            Should be no difference. Can you share the verbatim error message you
            get from `apachectl -t`?

            ---------------------------------------------------------------------
            To unsubscribe, e-mail: [hidden email]
            For additional commands, e-mail: [hidden email]



        ---------------------------------------------------------------------
        To unsubscribe, e-mail: [hidden email]
        For additional commands, e-mail: [hidden email]

    ?B�KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB�?�?[��X��ܚX�K??K[XZ[?�?\�\��][��X��ܚX�P??????�\?X�?K�ܙ�B��܈?Y??]?[ۘ[??��[X[�?�??K[XZ[?�?\�\��Z?[????????�\?X�?K�ܙ�B


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]