Re: Invalid dn errors for valid dns?

[John Klein <zarkon@law.harvard.edu>]

On Fri, 28 May 2004 ser@germane-software.com wrote:

> First, the class -- as you said -- must be groupOfNames, and the member
> attribute fully qualified DNs.  The LDAP entry now looks like:
>
>   dn: cn=svnTLR, ou=Group, dc=germane-software, dc=com
>   cn: svnTLR
>   objectClass: groupOfNames
>   objectClass: top
>   member: uid=ser,ou=People,dc=germane-software,dc=com
>   member: uid=aviram,ou=People,dc=germane-software,dc=com
>
> Second, the Apache docs clearly state that you're to not put quotes around
> the group name.  Elsewhere, I read that you're also not supposed to add
> the base name, as auth_ldap does that for you, but that appears to be
> incorrect, and it doesn't say this in the auth_ldap documentation from
> Apache.  The Apache configuration part now looks like this:
>
>   AuthName "Sean test"
>   AuthType basic
>   AuthLDAPURL "ldap://localhost/ou=People,dc=germane-software,dc=com?uid?sub";
>
>   Require group cn=svnTLR, ou=Group, dc=germane-software, dc=com

Just as a further note; if you want to use dynamic groups, you can place
them directly in the AuthLDAPURL:

ldap://localhost/ou=People,dc=germane-software,dc=com?uid?sub?(ou=svnTLR)

The advantage of handling things that way (as opposed to groupOfNames) is
that when the entry containing the svnTLR ou goes away, their group
membership goes away with it (instead of leaving a DN in the group entry
that you have to prune). Plus, all group memberships are easily viewed
by retrieving the entry for any individual user. Some other apps may
require groupOfNameses, though, so YMMV.

--
John Klein
Database Applications Developer
Information Technology Services - Harvard Law School
Omnia Mutantur, Nihil Interit