[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Invalid dn errors for valid dns?

> Your problem has nothing to do with OpenLDAP software, but rather with
> auth_ldap (improper) usage.  The "require group" directive refers to a


And, just for posterity's sake, I'll enumerate all of the mistakes that I

First, the class -- as you said -- must be groupOfNames, and the member
attribute fully qualified DNs.  The LDAP entry now looks like:

  dn: cn=svnTLR, ou=Group, dc=germane-software, dc=com
  cn: svnTLR
  objectClass: groupOfNames
  objectClass: top
  member: uid=ser,ou=People,dc=germane-software,dc=com
  member: uid=aviram,ou=People,dc=germane-software,dc=com

Second, the Apache docs clearly state that you're to not put quotes around
the group name.  Elsewhere, I read that you're also not supposed to add
the base name, as auth_ldap does that for you, but that appears to be
incorrect, and it doesn't say this in the auth_ldap documentation from
Apache.  The Apache configuration part now looks like this:

  AuthName "Sean test"
  AuthType basic
  AuthLDAPURL "ldap://localhost/ou=People,dc=germane-software,dc=com?uid?sub";

  Require group cn=svnTLR, ou=Group, dc=germane-software, dc=com

Incidently, the following AuthLDAPURL also works; I don't know why.  Is
auth_ldap ignoring the query?

  AuthLDAPURL "ldap://localhost/dc=germane-software,dc=com";

Thanks again for the help.  I have to admit that I find the OpenLDAP log
messages to be cryptic, but it it sweet when I get it to work.

--- SER