You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "J.Lance Wilkinson" <jl...@psu.edu> on 2012/03/21 13:49:09 UTC
Re: [users@httpd] Dynamic selection of mod_authnz_ldap's 'require
ldap-group' object?
I don't believe I ever got a reply to this, so since it's been a month I'll
repeat it...
the story so far: I have a need to be able to parse into an
environment variable (using Rewrite rules or some such) a value
that then can be used in a *require* directive like
require ldap-group
or require ldap-filter
Using Apache v2.2.6 on Solaris 10, Apache 2.2.15 on Linux RHEL 6,
pretty much the same Apache configurations on both.
Is this something possible NOW using stock modules, or is this
something that I will have with Apache 2.4 and its stock modules,
or is this something I would need to implement new or modified
code to achieve?
Eric Covener wrote:
> LDAP attributes can be loaded into AUTHENTICATE_* vars and can be
> queried, but you might not be able to express the rules you need using
> attributes only.
Not sure exactly what you're saying here... "AUTHENTICATE_* vars"
are those environment variables or something? I've never seen them
in the environment presented to a CGI script or a PHP script. Are
they environment variables that can be used in other Apache directives?
As I currently use things like %{REQUEST_URI} in a rewrite rule or
rewrite condition? If that's the case, what gets substituted for
the "*"? Is it AUTHENTICATE_attribute like AUTHENTICATE_UID or
AUTHENTICATE_MAIL, substituting LDAP attributes for the wildcard,
or is there some specific vocabulary of substitutions for the
wildcard? Is there a listing or documentation someplace that
specifically addresses this that I've missed?
>
> Some directory servers allow group membership to be read as a "magic"
> attribute in LDAP. Notably, tivoli directory server allows an
> ibm-allGroups element to be used (result only, not filtered on) which
> you could them find a way to check more dynamically (setenvif, allow
> from env=...).
I think we may be using those features on our university-wide
LDAP server here, but not in that manner. I have used at least one
ibm-* attribute in other capacities, but with custom developed
code in a CGI script, not at the Apache authentication/authorization
level.
--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Dynamic selection of mod_authnz_ldap's 'require
ldap-group' object?
Posted by Eric Covener <co...@gmail.com>.
On Thu, Mar 22, 2012 at 2:03 PM, Eric Covener <co...@gmail.com> wrote:
>> So, how to supply the information parsed from the URI as part of the
>> argument to the require ldap-group directive *at REQUEST time*. Is
>> that %{xxx} resolution something that takes place at the time the
>> request is being serviced and honored, or is it something that only
>> applies as the configuration is being processed?
>>
>> I'm already using mod_define.so as a loaded module, if that makes
>> any difference (to my advantage or disadvantage...)...
>
> I'm pretty sure you'd need to teach the guts of mod_authnz_ldap to
> parse its configuration like that. mod_proxy has code for this
> already and a flag to turn the interpolation on and off. I don't
> think there's a config-only solution.
Please open an enhancement in bugzilla and add me to CC.
Any detail helps. You'd have to capture it with setenvif, not LocationMatch.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Dynamic selection of mod_authnz_ldap's 'require
ldap-group' object?
Posted by Eric Covener <co...@gmail.com>.
> So, how to supply the information parsed from the URI as part of the
> argument to the require ldap-group directive *at REQUEST time*. Is
> that %{xxx} resolution something that takes place at the time the
> request is being serviced and honored, or is it something that only
> applies as the configuration is being processed?
>
> I'm already using mod_define.so as a loaded module, if that makes
> any difference (to my advantage or disadvantage...)...
I'm pretty sure you'd need to teach the guts of mod_authnz_ldap to
parse its configuration like that. mod_proxy has code for this
already and a flag to turn the interpolation on and off. I don't
think there's a config-only solution.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Dynamic selection of mod_authnz_ldap's 'require
ldap-group' object?
Posted by "J.Lance Wilkinson" <jl...@psu.edu>.
J.Lance Wilkinson wrote:
> I don't believe I ever got a reply to this, so since it's been a month I'll
> repeat it...
>
> the story so far: I have a need to be able to parse into an
> environment variable (using Rewrite rules or some such) a value
> that then can be used in a *require* directive like
>
> require ldap-group
> or require ldap-filter
>
> Using Apache v2.2.6 on Solaris 10, Apache 2.2.15 on Linux RHEL 6,
> pretty much the same Apache configurations on both.
>
> Is this something possible NOW using stock modules, or is this
> something that I will have with Apache 2.4 and its stock modules,
> or is this something I would need to implement new or modified
> code to achieve?
I'll further clarify what I WANT to do...
<Location ~ "^/(.*)/member.(.*)(.html|/(.*)?)$">
SetEnvIf Request_URI "^/(.*)/member.(.*)(.html|/(.*)?)$" MBRSHP=$2
...
require ldap-group cn=umg/%{MBRSHP},dc=xxx,dc=yyy:
...
</Location>
So, how to supply the information parsed from the URI as part of the
argument to the require ldap-group directive *at REQUEST time*. Is
that %{xxx} resolution something that takes place at the time the
request is being serviced and honored, or is it something that only
applies as the configuration is being processed?
I'm already using mod_define.so as a loaded module, if that makes
any difference (to my advantage or disadvantage...)...
--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org