* [gentoo-user] Why is apache 2.2 hard masked?
@ 2007-04-11 14:04 Wolfgang Liebich
2007-04-11 14:17 ` Vladimir Rusinov
0 siblings, 1 reply; 3+ messages in thread
From: Wolfgang Liebich @ 2007-04-11 14:04 UTC (permalink / raw
To: gentoo-user
Hi,
I'm fighting with authentification problems (see my further mails about
mod_auth_ldap) and
maybe a new module available for apache 2.2 might solve them.
BUT apache 2.2 is hard masked - why? Any experiences?
- TIA
- Wolfgang
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-user] Why is apache 2.2 hard masked?
2007-04-11 14:04 [gentoo-user] Why is apache 2.2 hard masked? Wolfgang Liebich
@ 2007-04-11 14:17 ` Vladimir Rusinov
[not found] ` <461DC008.1030807@siemens.com>
0 siblings, 1 reply; 3+ messages in thread
From: Vladimir Rusinov @ 2007-04-11 14:17 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 839 bytes --]
On 4/11/07, Wolfgang Liebich <wolfgang.liebich@siemens.com> wrote:
>
> I'm fighting with authentification problems (see my further mails about
> mod_auth_ldap) and
> maybe a new module available for apache 2.2 might solve them.
> BUT apache 2.2 is hard masked - why? Any experiences?
>
>
$ emerge -pv ">=apache-2.2"
These are the packages that would be merged, in order:
Calculating dependencies |
!!! All ebuilds that could satisfy ">=apache-2.2" have been masked.
!!! One of the following masked packages is required to complete your
request:
- net-www/apache-2.2.4 (masked by: package.mask, ~x86 keyword)
# Michael Stewart <vericgar@gentoo.org> (03 Feb 2006)
# Mask for testing of new Apache 2.2 version
If you really want apache-2.2, use package.unmask
--
WBR, Vladimir Rusinov aka B.
vladimir.rusinov@gmail.com
admin@inetoncd.ru
[-- Attachment #2: Type: text/html, Size: 1347 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-user] Why is apache 2.2 hard masked? - comments to my (preliminary) solution
[not found] ` <200704120923.49881.mike@gaima.co.uk>
@ 2007-04-16 7:54 ` Wolfgang Liebich
0 siblings, 0 replies; 3+ messages in thread
From: Wolfgang Liebich @ 2007-04-16 7:54 UTC (permalink / raw
To: gentoo-user
Hi,
Mike Williams schrieb:
> On Thursday 12 April 2007 06:13:44 Wolfgang Liebich wrote:
>
>> OK - it is in testing. Has anyone here experiences on how stable it is
>> to run? Maybe I need it b/c of a new auth module
>> which does not seem to be available in apache 2.0.58...
>>
>
> Oddly enough...
> http://archives.gentoo.org/gentoo-server/msg_11696.xml
>
> (I've not used the auth modules though)
>
Thank you all for your answers. I will try to press forward with apache
2.2.4. The reason I need it is that I need to authentificate/authorize users
agains a Windows ActiveDirectory domain. This is done using LDAP. Until
now we only had users coming from one OU served by our DC, so that
setup worked w/o a hitch. BUT now we have gotten a user from a different
OU, and ... well, I could not get mod_auth_ldap to lookup the user from
a BaseDN
one level up (BUT searching the user via "ldapsearch" cmdline worked -
IDGI....).
Apache's "own" mod_auth_ldap (which you get with USE="ldap") didn't
work, either..
SO I decided to go forward to apache 2.2.4 and use 2 LDAP
authentification instances, each with a working BaseDN pointing to the
wanted OU (same server, only the
most specific OU in the BaseDN different) and unify them with
mod_authn_alias. For simplicity I used apache's own mod_authnz_ldap.
This setup seems to work, with some caveats:
- You have to mark both LDAP auth module configurations with
AuthzLDAPAuthoritative=off
- If you want to restrict access to your site to users belonging to a
specified group, you cannot just juse mod_authnz_ldap's "require
ldap-group" feature b/c the module
doing authorization checks is mod-authn-alias -- which has NO idea what
"require ldap-group" means. Sigh. BUT:
-- you can do some evil tricks with the ldap URL to fake this "require
ldap-group" trick: You modify the search string (the last part of the
LDAP url to something like
"(&(<original part, e.g. 'objectType=*')(memberOf=<DN of the user
group>))". This has the effect that users not belonging to your wanted
group are just not found.
This is NOT the same as saying "users not in this group are not
AUTHORIZED", but it is a working fake.
Well, I've got a working system this way, therefore my boss will
probably ask me to stop researching further :-).
But I'm not totally satisfied with the current solution, b/c
- I still don't get the REASON why the ldap auth modules can't find the
user(s) but ldapsearch can.
- The solution is ugly :-) Seriously - I want to be able to use a single
authn/authz provider. Maybe mod_auth_kerberos would be better?
- Earlier on I looked into mod_auth_pam (for
authentification/authorization against our NIS/YP domain). BUT I didn't
use it b/c it seemed to REQUIRE that apache
gets read access for /etc/shadow. WHY? If I use pam+NIS, the local
shadow pwd file should never needed to be read, right? (Also a fellow
sysadmin cautioned me agains mod_auth_pam
b/c he claimed it to be rather dead - i.e. not developed further).
Comments/Experiences would be very welcome!
Ciao,
Wolf"english is NOT my native tongue:-("gang
--
gentoo-user@gentoo.org mailing list
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2007-04-16 8:04 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-04-11 14:04 [gentoo-user] Why is apache 2.2 hard masked? Wolfgang Liebich
2007-04-11 14:17 ` Vladimir Rusinov
[not found] ` <461DC008.1030807@siemens.com>
[not found] ` <200704120923.49881.mike@gaima.co.uk>
2007-04-16 7:54 ` [gentoo-user] Why is apache 2.2 hard masked? - comments to my (preliminary) solution Wolfgang Liebich
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox