You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by sebb <se...@gmail.com> on 2018/03/22 09:26:01 UTC
[users@httpd] mod_authzn_ldap: combining queries to different LDAP layouts
Is it possible to use two mod_authzn_ldap checks that need different
settings in the same Location container?
For example:
<Location ...>
<RequireAny>
AuthType Basic
AuthBasicProvider ldap
AuthName ...
AuthLDAPurl ...
<RequireAll>
AuthLDAPGroupAttribute member
AuthLDAPGroupAttributeIsDN On
Require ldap-group cn=one,...
</RequireAll>
<RequireAll>
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN Off
Require ldap-group cn=two,...
</RequireAll>
</RequireAny>
</Location>
I have tried the above and it looks like only the last instance of
AuthLDAPGroupAttribute and AuthLDAPGroupAttributeIsDN are used.
The groups one and two are defined differently and need different
settings if the validation is to work.
The individual Require commands work if used in different <Location> sections.
Is there a way to get round this?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_authzn_ldap: combining queries to different
LDAP layouts
Posted by sebb <se...@gmail.com>.
On 22 March 2018 at 09:41, Eric Covener <co...@gmail.com> wrote:
> On Thu, Mar 22, 2018 at 5:26 AM, sebb <se...@gmail.com> wrote:
>> Is it possible to use two mod_authzn_ldap checks that need different
>> settings in the same Location container?
>>
>> For example:
>>
>> <Location ...>
>> <RequireAny>
>> AuthType Basic
>> AuthBasicProvider ldap
>> AuthName ...
>> AuthLDAPurl ...
>> <RequireAll>
>> AuthLDAPGroupAttribute member
>> AuthLDAPGroupAttributeIsDN On
>> Require ldap-group cn=one,...
>> </RequireAll>
>> <RequireAll>
>> AuthLDAPGroupAttribute memberUid
>> AuthLDAPGroupAttributeIsDN Off
>> Require ldap-group cn=two,...
>> </RequireAll>
>> </RequireAny>
>> </Location>
>>
>> I have tried the above and it looks like only the last instance of
>> AuthLDAPGroupAttribute and AuthLDAPGroupAttributeIsDN are used.
>>
>> The groups one and two are defined differently and need different
>> settings if the validation is to work.
>> The individual Require commands work if used in different <Location> sections.
>>
>> Is there a way to get round this?
>
> I think you need to wrap them in AuthzProviderAlias'es so that they
> technically will look more like separate "configuration sections" so
> the module can actually access the two configs.
Thanks very much.
That works in local testing.
> Note: If you do something similar for directies used during
> Authentication you need the AuthnProviderAlias instead/in addition
> I am a little skeptical that the LDAP example here really works for
> this reason: https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html
>
>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_authzn_ldap: combining queries to different
LDAP layouts
Posted by Eric Covener <co...@gmail.com>.
On Thu, Mar 22, 2018 at 5:26 AM, sebb <se...@gmail.com> wrote:
> Is it possible to use two mod_authzn_ldap checks that need different
> settings in the same Location container?
>
> For example:
>
> <Location ...>
> <RequireAny>
> AuthType Basic
> AuthBasicProvider ldap
> AuthName ...
> AuthLDAPurl ...
> <RequireAll>
> AuthLDAPGroupAttribute member
> AuthLDAPGroupAttributeIsDN On
> Require ldap-group cn=one,...
> </RequireAll>
> <RequireAll>
> AuthLDAPGroupAttribute memberUid
> AuthLDAPGroupAttributeIsDN Off
> Require ldap-group cn=two,...
> </RequireAll>
> </RequireAny>
> </Location>
>
> I have tried the above and it looks like only the last instance of
> AuthLDAPGroupAttribute and AuthLDAPGroupAttributeIsDN are used.
>
> The groups one and two are defined differently and need different
> settings if the validation is to work.
> The individual Require commands work if used in different <Location> sections.
>
> Is there a way to get round this?
I think you need to wrap them in AuthzProviderAlias'es so that they
technically will look more like separate "configuration sections" so
the module can actually access the two configs.
Note: If you do something similar for directies used during
Authentication you need the AuthnProviderAlias instead/in addition
I am a little skeptical that the LDAP example here really works for
this reason: https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org