You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Eric Covener <co...@gmail.com> on 2010/04/06 21:57:22 UTC
Re: [users@httpd] How do I require more than one Require ldap-*
directive match?
On Tue, Apr 6, 2010 at 1:50 PM, Thomas, Peter <pt...@hpti.com> wrote:
> I've looked at the mod_authnz_ldap code and the documentation. "Out of the
> box" it sems like there's no way to turn the "OR" behavior of Require ldap-*
> lines into "AND." I've been trying as hard as I can to avoid creating not
> only a new provider type but also a new provider. Unfortunately, the more I
> dig into mod_authnz_ldap the more it seems like it's not quite what I need.
> Is there a "right" way to do this? One thought is creating a hook that
> "fakes out" check_user_access by dynamically updating the array of requires
> to "present" one ldap-* require line at a time, then aggregating the results
> into a single return value.
>
> I've seen some pretty subtle tricks from all of you--I'm hoping that someone
> out there has a better option than building up a new provider.
>
This comes for free in trunk. I'd review a 2.2.x patch that just
changed the way the loop operates to respect an "AND" flag -- my guess
is that it is not very hard but I am too swamped to play with it
The caveat for the doc would would be that it only made sense in an
all ldap-* configuration.
This AND behavior for LDAP authz is frequently requested.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] How do I require more than one Require ldap-* directive match?
Posted by "Thomas, Peter" <pt...@HPTI.com>.
Thanks. I'm in a production environment, so going to the trunk will be a tough sell. Ryan Patrick offered up a complete patch in 2005 to allow "and" -- reused "Satisfy all", which raised some controversy.
I'll revive/update his patch suggestion, but add a one-off flag for "AuthzLDAPSatisfy all" [defaulting to "any" which yields the current OR behavior].
At the time, Graham L. didn't like the one-off flag, as it was asymmetric with other modules. I don't see that as an overwhelming concern.
--Pete
> -----Original Message-----
> From: Eric Covener [mailto:covener@gmail.com]
> Sent: Tuesday, April 06, 2010 3:57 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] How do I require more than one
> Require ldap-* directive match?
>
> On Tue, Apr 6, 2010 at 1:50 PM, Thomas, Peter
> <pt...@hpti.com> wrote:
> > I've looked at the mod_authnz_ldap code and the
> documentation. "Out
> > of the box" it sems like there's no way to turn the "OR"
> behavior of
> > Require ldap-* lines into "AND." I've been trying as hard
> as I can to
> > avoid creating not only a new provider type but also a new
> provider.
> > Unfortunately, the more I dig into mod_authnz_ldap the more
> it seems like it's not quite what I need.
> > Is there a "right" way to do this? One thought is creating a hook
> > that "fakes out" check_user_access by dynamically updating
> the array
> > of requires to "present" one ldap-* require line at a time, then
> > aggregating the results into a single return value.
> >
> > I've seen some pretty subtle tricks from all of you--I'm
> hoping that
> > someone out there has a better option than building up a
> new provider.
> >
>
> This comes for free in trunk. I'd review a 2.2.x patch that
> just changed the way the loop operates to respect an "AND"
> flag -- my guess is that it is not very hard but I am too
> swamped to play with it
>
> The caveat for the doc would would be that it only made sense
> in an all ldap-* configuration.
>
> This AND behavior for LDAP authz is frequently requested.
>
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org