Results 1 to 3 of 3

Thread: Zimbra LDAP Group Membership Cannot Be recognized from Apache 2

Hybrid View

  1. #1
    Join Date
    Aug 2010
    Posts
    3
    Rep Power
    5

    Unhappy Zimbra LDAP Group Membership Cannot Be recognized from Apache 2

    Hello,

    I have successfully set up the zimlet forthe zimbra LDAP administration (the "gregzimbra" Description in wiki), but without the Samba part. As the domain I took as example aaa.algites.eu. My Zimbra installation ismulti-server install with 1 LDAP, 1 MTA and 1 MBOX virtual server

    I want to use the LDAP from zimbra also for the authentication of the Subversion Users, going through apache 2 http server.

    I got working the authentification with zimbra LDAP, works well, but I have problem with the resolution of the required group. In Apache I have defined the Location like
    Code:
            <Location "/">
                    AuthType Basic
                    AuthName "SVN Repository"
                    AuthBasicProvider ldap
                    AuthzLDAPAuthoritative off
                    AuthLDAPBindDN uid=zmposix,cn=appaccts,cn=zimbra
                    AuthLDAPBindPassword zimbraposixaccount
                    AuthLDAPURL "ldap://zildap:389/OU=people,DC=aaa,D
    C=algites,DC=eu?uid
                    Require ldap-group CN=svn_access, OU=groups, DC=aaa, DC=algites, DC=eu
            </Location>
    but this required group is never resolved. I get in apache log for that site after there has been successfully validated the password then always following error messages:

    Code:
    [Thu Jan 06 13:11:45 2011] [debug] mod_authnz_ldap.c(745): [client A.B.C.D] [
    2421] auth_ldap authorise: require group: testing for member: uid=test2,ou=people,dc=aaa,dc=algites,dc=eu (CN=svn_access, OU=groups, DC=aaa, DC=algites, DC=eu)
    [Thu Jan 06 13:11:45 2011] [debug] mod_authnz_ldap.c(761): [client A.B.C.D] [
    2421] auth_ldap authorise: require group "CN=svn_access, OU=groups, DC=aaa, DC=algites, DC=eu": authorisation failed [Comparison no such attribute (adding to cache)][No such attribute]
    [Thu Jan 06 13:11:45 2011] [debug] mod_authnz_ldap.c(745): [client A.B.C.D] [
    2421] auth_ldap authorise: require group: testing for uniquemember: uid=test2,ou=people,dc=aaa,dc=algites,dc=eu (CN=svn_access, OU=groups, DC=aaa, DC=algites, DC=eu)
    [Thu Jan 06 13:11:45 2011] [debug] mod_authnz_ldap.c(761): [client A.B.C.D] [
    2421] auth_ldap authorise: require group "CN=svn_access, OU=groups, DC=aaa, DC=algites, DC=eu": authorisation failed [Comparison no such attribute (adding to cache)][No such attribute]
    In the LDAP LOG turned on with everything logged what is possible I have:

    Code:
    Jan  6 13:11:45 zildap slapd[2532]: => acl_mask: access to entry"cn=svn_access,ou=groups,dc=aaa,dc=algites,dc=eu", attr "uniqueMember" requested
    Jan  6 13:11:45 zildap slapd[2532]: => acl_mask: to value by "uid=zmposix,cn=appaccts,cn=zimbra", (=0)
    Jan  6 13:11:45 zildap slapd[2532]: <= check a_dn_pat: cn=admins,cn=zimbra
    Jan  6 13:11:45 zildap slapd[2532]: <= check a_dn_pat: uid=zmposixroot,cn=appaccts,cn=zimbra
    Jan  6 13:11:45 zildap slapd[2532]: <= check a_dn_pat: uid=zmposix,cn=appaccts,cn=zimbra
    Jan  6 13:11:45 zildap slapd[2532]: <= acl_mask: [3] applying read(=rscxd) (stop)
    Jan  6 13:11:45 zildap slapd[2532]: <= acl_mask: [3] mask: read(=rscxd)
    Jan  6 13:11:45 zildap slapd[2532]: => slap_access_allowed: compare access granted by read(=rscxd)
    Jan  6 13:11:45 zildap slapd[2532]: => access_allowed: compare access granted by read(=rscxd)
    Jan  6 13:11:45 zildap slapd[2532]: send_ldap_result: conn=2334 op=5 p=3
    Jan  6 13:11:45 zildap slapd[2532]: send_ldap_result: err=16 matched="" text=""
    Jan  6 13:11:45 zildap slapd[2532]: send_ldap_response: msgid=6 tag=111 err=16
    Jan  6 13:11:45 zildap slapd[2532]: conn=2334 op=5 RESULT tag=111 err=16 text=
    In the logs there are also the requests for "member" attribute but with the same unsucess... I habe also tried the attribute "memberOf" by redefinition of the group membership attribute name in the location by

    Code:
    AuthLDAPGroupAttribute memberOf
    but then it returned some other error which is also returned in the case the attribute name is invalid.
    I also tried to putthere some non-existent group instead of "svn_acccess", then I get the correct (and different) error message the group object is not found...

    The given user test2@aaa.algites.eu is defined in zimbra, posix Ids are created ok.

    Possible causes could be following (I have tried everything possible but do not know what exactly):

    1. I have specified in the given group SVN_access the membership i a wrong way - as memberUID Ihave tried to write there the posix number of the user or the username ("test2"). Is this correct? It does not work with number or username - what should be entered as memberUID into theposix group definition?

    2. Are the group names case sensitive? I think it helped me also not to remove the capital letters fromthe group name, as well as the dots and underlines from the group name, but possibly I could forgot something somewere...

    3. Should be someother group membership attribute on Apache used? But which?

    I would really appreciate any help or pointers, it took me really a lot of time and the solution is still unknown...

    Thanx in advance, Archie

  2. #2
    Join Date
    Oct 2012
    Posts
    1
    Rep Power
    3

    Default

    You might try ubersvn, we use it providing http-svn access and ldap authentication integration functionalities, it works fine.

  3. #3
    Join Date
    Aug 2010
    Posts
    3
    Rep Power
    5

    Default

    Thank you, for reply :-).
    I will try it, but the problem is, I want to integrate through Apache also some other services.... But this could be at least the solution for svn access.

    Thank you :-) Archie.

Similar Threads

  1. zmperditionctl start asking for password
    By k7sle in forum Administrators
    Replies: 32
    Last Post: 02-20-2008, 11:13 AM
  2. Cleanup after many upgrades
    By tobru in forum Installation
    Replies: 1
    Last Post: 12-23-2007, 09:21 AM
  3. Zimbra shutdowns every n hours.
    By Andrewb in forum Administrators
    Replies: 13
    Last Post: 08-14-2007, 09:55 AM
  4. 3 testing: LDAP: 389 Failed when restore zimbra
    By victorLeong in forum Administrators
    Replies: 15
    Last Post: 05-24-2007, 07:45 AM
  5. Can't start Zimbra!
    By zibra in forum Administrators
    Replies: 5
    Last Post: 03-22-2007, 12:34 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •