Re: [users@httpd] Dynamic selection of mod_authnz_ldap's 'require ldap-group' object?

["J.Lance Wilkinson" <jl...@psu.edu>]

I don't believe I ever got a reply to this, so since it's been a month I'll
repeat it...

	the story so far:  I have a need to be able to parse into an
	environment variable (using Rewrite rules or some such) a value
	that then can be used in a *require* directive like

		require ldap-group	
	or	require ldap-filter

	Using Apache v2.2.6 on Solaris 10, Apache 2.2.15 on Linux RHEL 6,
	pretty much the same Apache configurations on both.

	Is this something possible NOW using stock modules, or is this
	something that I will have with Apache 2.4 and its stock modules,
	or is this something I would need to implement new or modified
	code to achieve?

Eric Covener wrote:
> LDAP attributes can be loaded into AUTHENTICATE_* vars and can be
> queried, but you might not be able to express the rules you need using
> attributes only.

	Not sure exactly what you're saying here...  "AUTHENTICATE_* vars"
	are those environment variables or something?  I've never seen them
	in the environment presented to a CGI script or a PHP script.  Are
	they environment variables that can be used in other Apache directives?
	As I currently use things like %{REQUEST_URI} in a rewrite rule or
	rewrite condition?   If that's the case, what gets substituted for
	the "*"?  Is it AUTHENTICATE_attribute like AUTHENTICATE_UID or
	AUTHENTICATE_MAIL, substituting LDAP attributes for the wildcard,
	or is there some specific vocabulary of substitutions for the
	wildcard?  Is there a listing or documentation someplace that
	specifically addresses this that I've missed?

> 
> Some directory servers allow group membership to be read as a "magic"
> attribute in LDAP.  Notably, tivoli directory server allows an
> ibm-allGroups element to be used (result only, not filtered on) which
> you could them find a way to check more dynamically (setenvif, allow
> from env=...).

	I think we may be using those features on our university-wide
	LDAP server here, but not in that manner.  I have used at least one
	ibm-* attribute in other capacities, but with custom developed
	code in a CGI script, not at the Apache authentication/authorization
	level.

-- 
J.Lance Wilkinson ("Lance")		InterNet: Lance.Wilkinson@psu.edu
Systems Design Specialist - Lead	Phone: (814) 865-4870
Digital Library Technologies		FAX:   (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Dynamic selection of mod_authnz_ldap's 'require ldap-group' object?

[Eric Covener <co...@gmail.com>]

On Thu, Mar 22, 2012 at 2:03 PM, Eric Covener <co...@gmail.com> wrote:
>>        So, how to supply the information parsed from the URI as part of the
>>        argument to the require ldap-group directive *at REQUEST time*.   Is
>>        that %{xxx} resolution something that takes place at the time the
>>        request is being serviced and honored, or is it something that only
>>        applies as the configuration is being processed?
>>
>>        I'm already using mod_define.so as a loaded module, if that makes
>>        any difference (to my advantage or disadvantage...)...
>
> I'm pretty sure you'd need to teach the guts of mod_authnz_ldap to
> parse its configuration like that.  mod_proxy has code for this
> already and a flag to turn the interpolation on and off.   I don't
> think there's a config-only solution.

Please open an enhancement in bugzilla and add me to CC.

Any detail helps.  You'd have to capture it with setenvif, not LocationMatch.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Dynamic selection of mod_authnz_ldap's 'require ldap-group' object?

[Eric Covener <co...@gmail.com>]

>        So, how to supply the information parsed from the URI as part of the
>        argument to the require ldap-group directive *at REQUEST time*.   Is
>        that %{xxx} resolution something that takes place at the time the
>        request is being serviced and honored, or is it something that only
>        applies as the configuration is being processed?
>
>        I'm already using mod_define.so as a loaded module, if that makes
>        any difference (to my advantage or disadvantage...)...

I'm pretty sure you'd need to teach the guts of mod_authnz_ldap to
parse its configuration like that.  mod_proxy has code for this
already and a flag to turn the interpolation on and off.   I don't
think there's a config-only solution.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Dynamic selection of mod_authnz_ldap's 'require ldap-group' object?

["J.Lance Wilkinson" <jl...@psu.edu>]

J.Lance Wilkinson wrote:
> I don't believe I ever got a reply to this, so since it's been a month I'll
> repeat it...
> 
>     the story so far:  I have a need to be able to parse into an
>     environment variable (using Rewrite rules or some such) a value
>     that then can be used in a *require* directive like
> 
>         require ldap-group   
>     or    require ldap-filter
> 
>     Using Apache v2.2.6 on Solaris 10, Apache 2.2.15 on Linux RHEL 6,
>     pretty much the same Apache configurations on both.
> 
>     Is this something possible NOW using stock modules, or is this
>     something that I will have with Apache 2.4 and its stock modules,
>     or is this something I would need to implement new or modified
>     code to achieve?


	I'll further clarify what I WANT to do...

	<Location ~ "^/(.*)/member.(.*)(.html|/(.*)?)$">
	   SetEnvIf Request_URI "^/(.*)/member.(.*)(.html|/(.*)?)$" MBRSHP=$2
		...
	   require ldap-group cn=umg/%{MBRSHP},dc=xxx,dc=yyy:
		...
	</Location>

	So, how to supply the information parsed from the URI as part of the
	argument to the require ldap-group directive *at REQUEST time*.   Is
	that %{xxx} resolution something that takes place at the time the
	request is being serviced and honored, or is it something that only
	applies as the configuration is being processed?

	I'm already using mod_define.so as a loaded module, if that makes
	any difference (to my advantage or disadvantage...)...

-- 
J.Lance Wilkinson ("Lance")		InterNet: Lance.Wilkinson@psu.edu
Systems Design Specialist - Lead	Phone: (814) 865-4870
Digital Library Technologies		FAX:   (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org