你好,我试图检查与ldap,如果一个用户存在于一个组或任何子组。目前,我正在尝试以下内容:
<Location /sandbox.git>Deny from AllDAV offAuthBasicProvider ldapAuthType BasicAuthName "Git"###############################################################################AuthLDAPMaxSubGroupDepth 100 ### THIS IS HOW I TRY TO DEEP SUB-GROUP SEARCH ##################################################################################AuthLDAPURL "ldap://MY-SERVER:389/OU=Domain Users,DC=corp,DC=Company,DC=com?sAMAccountName?sub?(objectClass=*)"AuthLDAPBindDN "CN=authUSER,OU=Service Accounts,DC=corp,DC=Company,DC=com"Satisfy anyAuthLDAPBindPassword "********"Require ldap-group CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com</Location>
这是适合我的Apache2.4.6版本的
日志看起来是这样的:
[access_compat:error] AH01797: client denied by server configuration: /usr/lib/git-core/git-http-backend[authz_core:debug] mod_authz_core.c(802): AH01626: authorization result of Require ldap-group CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com: denied (no authenticated user yet)[authz_core:debug] mod_authz_core.c(802): AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)[access_compat:error] AH01797: client denied by server configuration: /usr/lib/git-core/git-http-backend[authz_core:debug] mod_authz_core.c(802): AH01626: authorization result of Require ldap-group CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com: denied (no authenticated user yet)[authz_core:debug] mod_authz_core.c(802): AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)[access_compat:error] AH01797: client denied by server configuration: /usr/lib/git-core/git-http-backend[authz_core:debug] mod_authz_core.c(802): AH01626: authorization result of Require ldap-group CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com: denied (no authenticated user yet)[authz_core:debug] mod_authz_core.c(802): AH01626: authorization result of <RequireAny>: denied (no authenticated user yet)[authnz_ldap:debug] mod_authnz_ldap.c(501): AH01691: auth_ldap authenticate: using URL ldap://MY-SERVER:389/OU=Domain Users,DC=corp,DC=Company,DC=com?sAMAccountName?sub?(objectClass=*)[authnz_ldap:debug] mod_authnz_ldap.c(593): AH01697: auth_ldap authenticate: accepting testuser[authnz_ldap:debug] mod_authnz_ldap.c(871): AH01713: auth_ldap authorize: require group: testing for group membership in "CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com"[authnz_ldap:debug] mod_authnz_ldap.c(879): AH01714: auth_ldap authorize: require group: testing for member: CN=LastName\\, FirstName (717712),OU=PLACE,OU=Domain Users,DC=corp,DC=Company,DC=com (CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com)[authnz_ldap:debug] mod_authnz_ldap.c(898): AH01719: auth_ldap authorize: require group "CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com": didn't match with attr Comparison false (cached) [member][5 - Compare False][authnz_ldap:debug] mod_authnz_ldap.c(879): AH01714: auth_ldap authorize: require group: testing for uniqueMember: CN=LastName\\, FirstName (717712),OU=PLACE,OU=Domain Users,DC=corp,DC=Company,DC=com (CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com)[authnz_ldap:debug] mod_authnz_ldap.c(898): AH01719: auth_ldap authorize: require group "CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com": didn't match with attr Comparison no such attribute (cached) [uniqueMember][16 - No such attribute][authnz_ldap:debug] mod_authnz_ldap.c(915): AH01716: auth_ldap authorise: require group "CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com": failed [Comparison no such attribute (cached)][16 - No such attribute], checking sub-groups[authnz_ldap:debug] mod_authnz_ldap.c(938): AH01718: auth_ldap authorise: require group (sub-group) "CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com": didn't match with attr DN failed group verification. [member][5 - Compare False][authnz_ldap:debug] mod_authnz_ldap.c(915): AH01716: auth_ldap authorise: require group "CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com": failed [DN failed group verification.][5 - Compare False], checking sub-groups[authnz_ldap:debug] mod_authnz_ldap.c(938): AH01718: auth_ldap authorise: require group (sub-group) "CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com": didn't match with attr DN failed group verification. [uniqueMember][5 - Compare False][authnz_ldap:debug] mod_authnz_ldap.c(945): AH01720: auth_ldap authorize group: authorization denied for user testuser to /sandbox.git/info/refs[authz_core:debug] mod_authz_core.c(802): AH01626: authorization result of Require ldap-group CN=My_Group,OU=Company,OU=Security Groups,OU=Exchange,DC=corp,DC=Company,DC=com: denied[authz_core:debug] mod_authz_core.c(802): AH01626: authorization result of <RequireAny>: denied[authz_core:error] AH01631: user testuser: authorization failure for "/sandbox.git/info/refs":
看起来我错过了一个很小但很重要的部分,使得在子组中的深度搜索失败。
3条答案
按热度按时间zc0qhyus1#
将这行添加到你的apache配置中:
可以固定子组LDAP查找。
4nkexdtk2#
AuthLDAPGroupAttribute“成员”:
此指令指定包含组成员列表的LDAP属性。在该示例中,用于表示组成员资格的属性是“member”。属性值通常包含组成员用户的可分辨名称(DN)。AuthLDAPSubGroupClass“group”:
此指令定义表示LDAP目录中的子组的LDAP对象类。在本例中,“group”对象类用于表示子组。子组是嵌套在其他组中的组,形成层次结构。AuthLDAPSubGroupAttribute“成员”:
此指令指定在LDAP目录中建立子组成员关系的LDAP属性。在这种情况下,“member”属性用于指示子组成员资格。属性值包含作为特定组成员的子组的可分辨名称(DN)。AuthLDAPMaxSubGroupDepth 10:
此指令设置允许的子组嵌套的最大深度。在此示例中,最大深度设置为10,这意味着组最多可以嵌套10个级别。此设置有助于防止可能导致性能问题或其他问题的无限递归或过度嵌套。
yshpjwxd3#
您不能用Apache提供的有限语法来表达这一点,该语法是LDAP过滤器URL语法的子集,而LDAP过滤器URL语法本身不能表达您的搜索。它所能表达的只是DN是否作为指定组的属性存在。组嵌套不能用此语法表示。