Axel,
Axel Birndt schrieb (14.12.2011 21:36 Uhr):
----apache.conf------- ..... AuthType basic AuthBasicProvider ldap AuthName "LDAP-geschuetztes Verzeichnis" AuthLDAPUrl "ldap://localhost:389/ou=user,dc=2axels-company,dc=de?cn?sub" AuthLDAPBindDN "cn=bind,ou=technical,ou=user,dc=2axels-company,dc=de" # it doesn't work, if the bind password is encrypted... isn't it ?? #AuthLDAPBindPassword {SHA}pfiSFDDFSAAE$$%j8BTtCUqs9IZWsQ= # Because this, the password is currently used as an unencrypted one: AuthLDAPBindPassword xxxxxxxxxxx Require ldap-group cn=awstats,ou=groups,dc=2axels-company,dc=de ....
Now my question:
which minimum acl rights are needed for the Bind User:
"cn=bind,ou=technical,ou=user,dc=2axels-company,dc=de"
to connect to the ldap server and check the group from the user who try to login.
When I understand your apache config right, you - enter values of cn attributes to your http auth - the objects to these cn values are in ou=user,dc=2axels-company,dc=de - allowed users are in a ldap group cn=awstats,ou=groups,dc=2axels-company,dc=de
So apache must be able to - search for cn attributes in ou=user,dc=2axels-company,dc=de, - authenticate with an object in ou=user,dc=2axels-company,dc=de and - read the members of cn=awstats,ou=groups,dc=2axels-company,dc=de (You should see from your slapd log, if there are any other actions from apache like searching for groups etc.)
While you want to protect these information for anonymous access you decided to take a bind user cn=bind,ou=technical,ou=user,dc=2axels-company,dc=de. So all the rights above have to be granted to this user.
Marc