mod_auth_kerb and mod_authnz_ldap

Hi.

I'm trying to get a setup working where kerberos does authentication
and ldap does authorization based on an Active Directory group.

Alone the kerberos stuff works excellent. Even with a "Require group
something" from a group file.

But going to the LDAP configuration something goes wrong:

--- config ---
                AuthType Kerberos
                AuthName "SPNEGO"
                KrbAuthRealms REALM
                KrbMethodNegotiate on
                KrbMethodK5Passwd off
                KrbStripRealm on
                Krb5Keytab /etc/val.keytab
                KrbServiceName <service>
                AuthLDAPBindDN "Jesper@domain"
                AuthLDAPBindPassword SECRET
                AuthzLDAPAuthoritative off
                AuthLDAPUrl "ldap://<AD-URI>?sAMAccountName"
                Require ldap-group CN=TestGroup,OU=Groups,OU=Company
                require valid-user
---------------
When Im' in the group.. it logs:
[Fri Dec 05 21:18:40 2008] [debug] mod_authnz_ldap.c(730): [client
10.194.134.5] [24636] auth_ldap authorise: require group
: authorisation successful (attribute member) [Comparison true
(cached)][Compare True

And when I not in the group it logs:
[Fri Dec 05 22:27:44 2008] [debug] mod_authnz_ldap.c(847): [client
10.194.134.5] [28497] auth_ldap authorise: declining to
authorise

.. Which both seems correct.

The problem is that in both cases I end up getting the pages served.
Why dont I get a 401 in the second situation?

Thanks.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]

On 12/5/08, Jesper Krogh <[hidden email]> wrote:

>                 Require ldap-group CN=TestGroup,OU=Groups,OU=Company
>                 require valid-user

Require directives are OR'ed not AND'ed, despite the way "require" sounds.

--
Eric Covener
[hidden email]

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]

On Fri, Dec 5, 2008 at 11:48 PM, Eric Covener <[hidden email]> wrote:
> On 12/5/08, Jesper Krogh <[hidden email]> wrote:
>
>>                 Require ldap-group CN=TestGroup,OU=Groups,OU=Company
>>                 require valid-user
>
> Require directives are OR'ed not AND'ed, despite the way "require" sounds.

Removing the "require valid-user" from the configurataion changes the
error message to:
[Sat Dec 06 07:49:26 2008] [debug] mod_authnz_ldap.c(852): [client
10.194.134.5] [22264] auth_ldap authorise: authorisation denied

But It still lets people in instead of sending a 401 page.

--
Jesper

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]

On Sat, Dec 6, 2008 at 1:51 AM, Jesper Krogh <[hidden email]> wrote:
Weird on a few fronts, are you sure this log entry corresponds to the 200?

1)  "AuthzLDAPAuthoritative off" means you should see "declining to
authorise" instead of "authorization denied"
2) Once you see this message, i don't think any other module would be
have a chance to flip it to a 200

--
Eric Covener
[hidden email]

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]

>> But It still lets people in instead of sending a 401 page.
>
> Weird on a few fronts, are you sure this log entry corresponds to the 200?

Triple checking.. You're right It "just bloody works".

> 1)  "AuthzLDAPAuthoritative off" means you should see "declining to
> authorise" instead of "authorization denied"
> 2) Once you see this message, i don't think any other module would be
> have a chance to flip it to a 200

It was the browser cache playing tricks on me, the correct codes was
indeed written in the apachelogs
... when the caching was flushed and.

--
Jesper

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [hidden email]
   "   from the digest: [hidden email]
For additional commands, e-mail: [hidden email]