Question

如果用户存在于组或任何子组中，我试图检查ldap。目前我尝试使用以下内容：

  <Location /sandbox.git>
    Deny from All
    DAV off
    AuthBasicProvider ldap
    AuthType Basic
    AuthName "Git"

    ###############################################################################
    AuthLDAPMaxSubGroupDepth 100 ### THIS IS HOW I TRY TO DEEP SUB-GROUP SEARCH ###
    ###############################################################################

    AuthLDAPURL "ldap://MY-SERVER:389/OU=Domain Users,DC=corp,DC=Company,DC=com?sAMAccountName?sub?(objectClass=*)"
    AuthLDAPBindDN "CN=authUSER,OU=Service Accounts,DC=corp,DC=Company,DC=com"

    Satisfy any

    AuthLDAPBindPassword "********"

    Require ldap-group CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com 



  </Location>

适用于我的Apache2.4.6版本

日志看起来像这样：

[access_compat:error]  AH01797: client denied by server configuration: /usr/lib/git-core/git-http-backend
[authz_core:debug] mod_authz_core.c(802):  AH01626: authorization result of Require ldap-group CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com: denied (no authenticated user yet)
[authz_core:debug] mod_authz_core.c(802):  AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[access_compat:error]  AH01797: client denied by server configuration: /usr/lib/git-core/git-http-backend
[authz_core:debug] mod_authz_core.c(802):  AH01626: authorization result of Require ldap-group CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com: denied (no authenticated user yet)
[authz_core:debug] mod_authz_core.c(802):  AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[access_compat:error]  AH01797: client denied by server configuration: /usr/lib/git-core/git-http-backend
[authz_core:debug] mod_authz_core.c(802):  AH01626: authorization result of Require ldap-group CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com: denied (no authenticated user yet)
[authz_core:debug] mod_authz_core.c(802):  AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)
[authnz_ldap:debug] mod_authnz_ldap.c(501):  AH01691: auth_ldap authenticate: using URL ldap://MY-SERVER:389/OU=Domain Users,DC=corp,DC=Company,DC=com?sAMAccountName?sub?(objectClass=*)
[authnz_ldap:debug] mod_authnz_ldap.c(593):  AH01697: auth_ldap authenticate: accepting testuser
[authnz_ldap:debug] mod_authnz_ldap.c(871):  AH01713: auth_ldap authorize: require group: testing for group membership in "CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com"
[authnz_ldap:debug] mod_authnz_ldap.c(879):  AH01714: auth_ldap authorize: require group: testing for member: CN=LastName\\, FirstName (717712),OU=PLACE,OU=Domain Users,DC=corp,DC=Company,DC=com (CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com)
[authnz_ldap:debug] mod_authnz_ldap.c(898):  AH01719: auth_ldap authorize: require group "CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com": didn't match with attr Comparison false (cached) [member][5 - Compare False]
[authnz_ldap:debug] mod_authnz_ldap.c(879):  AH01714: auth_ldap authorize: require group: testing for uniqueMember: CN=LastName\\, FirstName (717712),OU=PLACE,OU=Domain Users,DC=corp,DC=Company,DC=com (CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com)
[authnz_ldap:debug] mod_authnz_ldap.c(898):  AH01719: auth_ldap authorize: require group "CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com": didn't match with attr Comparison no such attribute (cached) [uniqueMember][16 - No such attribute]
[authnz_ldap:debug] mod_authnz_ldap.c(915):  AH01716: auth_ldap authorise: require group "CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com": failed [Comparison no such attribute (cached)][16 - No such attribute], checking sub-groups
[authnz_ldap:debug] mod_authnz_ldap.c(938):  AH01718: auth_ldap authorise: require group (sub-group) "CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com": didn't match with attr DN failed group verification. [member][5 - Compare False]
[authnz_ldap:debug] mod_authnz_ldap.c(915):  AH01716: auth_ldap authorise: require group "CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com": failed [DN failed group verification.][5 - Compare False], checking sub-groups
[authnz_ldap:debug] mod_authnz_ldap.c(938):  AH01718: auth_ldap authorise: require group (sub-group) "CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com": didn't match with attr DN failed group verification. [uniqueMember][5 - Compare False]
[authnz_ldap:debug] mod_authnz_ldap.c(945):  AH01720: auth_ldap authorize group: authorization denied for user testuser to /sandbox.git/info/refs
[authz_core:debug] mod_authz_core.c(802):  AH01626: authorization result of Require ldap-group CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com: denied
[authz_core:debug] mod_authz_core.c(802):  AH01626: authorization result of <RequireAny>: denied
[authz_core:error]  AH01631: user testuser: authorization failure for "/sandbox.git/info/refs":

似乎我错过了一个小而重要的部分，使得子组中的深度搜索失败。

Answer 1

将此行添加到您的apache配置中：

AuthLDAPGroupAttribute "member"
AuthLDAPSubGroupClass "group"
AuthLDAPSubGroupAttribute "member"
AuthLDAPMaxSubGroupDepth 10

可以修复子组ldap查找。

Answer 2

您无法在Apache提供的有限语法中表达这一点，这是LDAP过滤器URL语法的一个子集，它本身无法表达您的搜索。它可以表达的是DN是否作为指定组的属性存在。无法用此语法表示组嵌套。

Apache2 LDAP子组检查

2 个答案: