AuthzLDAPAuthoritative and "no authoritative handler"

Hi folks,

I'm having a problem with my first attempts to migrate a 2.0 server to =
2.2, specifically with the LDAP configuration I'm using. I have a =
somewhat convoluted directory structure, with different permissions for =
different directories. My problem can be summed up with the configuration =
in httpd-vhosts.conf (see below); my actual configuration has additional =
Directory sections, some of which have multiple "require ldap-users" and =
"require ldap-groups", but the two I've copied here are able to recreate =
the problem.


AuthLDAPURL ldap://*****/o=3Droot?uid??(objectClass=3DinetOrgPerson=
)
AuthLDAPDereferenceAliases never



ServerName docsite.sgi.sk.ca
DocumentRoot "/my/directory/htdocs"


Options Indexes FollowSymLinks Includes
AllowOverride None
AuthBasicProvider ldap-site
AuthName "Login Now Please"
AuthType Basic
AuthzLDAPAuthoritative off
require valid-user
Order allow,deny
Allow from 10.0.0.8 10.0.1.9
Satisfy any



AuthBasicProvider ldap-site
AuthName "Login Now Please"
AuthType Basic
AuthzLDAPAuthoritative on
require ldap-group cn=3Dmygroup,ou=3Dcontainer,ou=3Dcontainer,o=3Droot
Order allow,deny
Allow from 10.0.0.8 10.0.1.9
Satisfy any



The problem is that using this configuration I can sign in to the root of =
the site no problem, but when I try getting in to the private directory =
that is more restrictive apache throws errors like "access to /Infrastructu=
re/private/index.html failed, reason: require directives present and no =
Authoritative handler." My understanding of the AuthzLDAPAuthoritative =
directive from the documentation is that if I'm using "require valid-user" =
I need to set it to off, but if I'm using "require ldap-user" or "require =
ldap-group" I need to set it to on; I'm doing so but it doesn't seem to be =
working as I expected it to. I can't find any mention on the net of =
anyone else experiencing this problem after they get the AuthzLDAPAuthorita=
tive thing under control, so I'm assuming I'm missing something simple but =
I can't see what it is.

Any help would be appreciated!

Thanks,

Jeff Eggen
IT Analyst
Saskatchewan Government Insurance
Ph (306) 751-1795
email jeggen@sgi.sk.ca

This e-mail and any files transmitted with it are confidential and =
intended solely for the use of the individual or entity to whom they are =
addressed. If you are not the named addressee, please notify the sender =
immediately by e-mail if you have received this e-mail by mistake and =
delete this e-mail from your system. If you are not the intended recipient =
you are notified that using, disclosing, copying or distributing the =
contents of this information is strictly prohibited.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: AuthzLDAPAuthoritative and "no authoritative handler" problems

On Tue, Feb 26, 2008 at 9:17 AM, Jeff Eggen wrote:
>
> AuthLDAPURL ldap://*****/o=root?uid??(objectClass=inetOrgPerson)
> AuthLDAPDereferenceAliases never
>
>
>
> AuthBasicProvider ldap-site
> require ldap-group cn=mygroup,ou=container,ou=container,o=root

I believe Brad Nicholes fielded a bug report or users@ on this matter
within the last dozen weeks or so.

When you define AuthLDAPURL in an AuthnProviderAlias, you also need
to explicitly define the AuthLDAPUrl in any context where you use LDAP
authorization (emphasis on authn vs authz)

mod_authnz_ldap probably bailed out of authorization pretty quicklty
when it didn't see an AuthLDAPUrl defined.

--
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: AuthzLDAPAuthoritative and "no authoritative

>>> "Eric Covener" 2/26/2008 8:59 AM >>>
>When you define AuthLDAPURL in an AuthnProviderAlias, you also need
>to explicitly define the AuthLDAPUrl in any context where you use LDAP
>authorization (emphasis on authn vs authz)

>mod_authnz_ldap probably bailed out of authorization pretty quicklty
>when it didn't see an AuthLDAPUrl defined.

That's what I get for trying mod_authn_alias.

As per your suggestion, I removed section and added =
the AuthLDAPURL section back to my individual directory sections, and it =
works like a charm.

Thanks very much!

This e-mail and any files transmitted with it are confidential and =
intended solely for the use of the individual or entity to whom they are =
addressed. If you are not the named addressee, please notify the sender =
immediately by e-mail if you have received this e-mail by mistake and =
delete this e-mail from your system. If you are not the intended recipient =
you are notified that using, disclosing, copying or distributing the =
contents of this information is strictly prohibited.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org