Re: Invalid dn errors for valid dns?

[ser@germane-software.com]

> Your problem has nothing to do with OpenLDAP software, but rather with
> auth_ldap (improper) usage.  The "require group" directive refers to a
> LDAP group, which is supposed to be of objectClass "groupOfNames" and hold

Ok, that makes sense.  I've got the log level cranked up to 4095; is there
a way to get OpenLDAP to be even more verbose, so that I could see that it
was failing because the query was looking of entries in the "groupOfNames"
object class?

> members in the attribute "member", which is DN-valued.  Your group is of
> objectClass posixGroup, and has no "member" attributes; you're telling
> auth_ldap to use the "memberUID" attribute as "member", which, of course
> contains valid POSIX group names but no valid DN values.  This explains
> the (perfectly correct) error you see.  I suggest you check auth_ldap's

Ok, I misunderstood the meaning of "AuthLDAPGroupAttributeIsDN"; I thought
it told auth_ldap to look for just names in the group attribute, not DN
values.

http://httpd.apache.org/docs-2.0/mod/mod_auth_ldap.html#authldapgroupattributeisdn

Thanks for the help.  I suspect that I can fix it with this information.

By the way, is there a reason why group information isn't "standardized"? 
I mean, I can understand wanting different namespaces for things, but
there appears to be at least three different dominant group mechanisms,
and they overlap in functionality.

Thanks again!

--- SER