RE: [users@httpd] How do I require more than one Require ldap-* directive match?

["Thomas, Peter" <pt...@HPTI.com>]

I've looked at the mod_authnz_ldap code and the documentation.  "Out of
the box" it sems like there's no way to turn the "OR" behavior of
Require ldap-* lines into "AND."  I've been trying as hard as I can to
avoid creating not only a new provider type but also a new provider.
Unfortunately, the more I dig into mod_authnz_ldap the more it seems
like it's not quite what I need.  Is there a "right" way to do this?
One thought is creating a hook that "fakes out" check_user_access by
dynamically updating the array of requires to "present" one ldap-*
require line at a time, then aggregating the results into a single
return value.
 
I've seen some pretty subtle tricks from all of you--I'm hoping that
someone out there has a better option than building up a new provider.
 
--Pete
 
________________________________

From: Thomas, Peter [mailto:pthomas@HPTI.com] 
Sent: Tuesday, April 06, 2010 1:26 PM
To: users@httpd.apache.org
Subject: [users@httpd] How do I require more than one Require ldap-*
directive match?



	How do I configure mod_authnz_ldap to require that I meet
multiple authorization conditions [i.e. user must be a member of an LDAP
group AND also posses one or more attributes].  As it is, the code
returns "OK" as soon as the first "Require ldap-*" directive succeeds,
short-circuiting subsequent require directives.

	If I only had to match on attributes, I could use a Require
llda-filter directive, but needing to search for both a group and an
attribute stops me cold.

	-Pete 

RE: [users@httpd] How do I require more than one Require ldap-* directive match?

["Thomas, Peter" <pt...@HPTI.com>]

Thanks.  I'm in a production environment, so going to the trunk will be a tough sell.  Ryan Patrick offered up a complete patch in 2005 to allow "and" -- reused "Satisfy all", which raised some controversy.

I'll revive/update his patch suggestion, but add a one-off flag for "AuthzLDAPSatisfy all" [defaulting to "any" which yields the current OR behavior].
At the time, Graham L. didn't like the one-off flag, as it was asymmetric with other modules.  I don't see that as an overwhelming concern.

--Pete

> -----Original Message-----
> From: Eric Covener [mailto:covener@gmail.com] 
> Sent: Tuesday, April 06, 2010 3:57 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] How do I require more than one 
> Require ldap-* directive match?
> 
> On Tue, Apr 6, 2010 at 1:50 PM, Thomas, Peter 
> <pt...@hpti.com> wrote:
> > I've looked at the mod_authnz_ldap code and the 
> documentation.  "Out 
> > of the box" it sems like there's no way to turn the "OR" 
> behavior of 
> > Require ldap-* lines into "AND."  I've been trying as hard 
> as I can to 
> > avoid creating not only a new provider type but also a new 
> provider. 
> > Unfortunately, the more I dig into mod_authnz_ldap the more 
> it seems like it's not quite what I need.
> > Is there a "right" way to do this?  One thought is creating a hook 
> > that "fakes out" check_user_access by dynamically updating 
> the array 
> > of requires to "present" one ldap-* require line at a time, then 
> > aggregating the results into a single return value.
> >
> > I've seen some pretty subtle tricks from all of you--I'm 
> hoping that 
> > someone out there has a better option than building up a 
> new provider.
> >
> 
> This comes for free in trunk. I'd review a 2.2.x  patch that 
> just changed the way the loop operates to respect an "AND" 
> flag -- my guess is that it is not very hard but I am too 
> swamped to play with it
> 
> The caveat for the doc would would be that it only made sense 
> in an all ldap-* configuration.
> 
> This AND behavior for LDAP authz is frequently requested.
> 
> 
> --
> Eric Covener
> covener@gmail.com
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP 
> Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] How do I require more than one Require ldap-* directive match?

[Eric Covener <co...@gmail.com>]

On Tue, Apr 6, 2010 at 1:50 PM, Thomas, Peter <pt...@hpti.com> wrote:
> I've looked at the mod_authnz_ldap code and the documentation.  "Out of the
> box" it sems like there's no way to turn the "OR" behavior of Require ldap-*
> lines into "AND."  I've been trying as hard as I can to avoid creating not
> only a new provider type but also a new provider. Unfortunately, the more I
> dig into mod_authnz_ldap the more it seems like it's not quite what I need.
> Is there a "right" way to do this?  One thought is creating a hook that
> "fakes out" check_user_access by dynamically updating the array of requires
> to "present" one ldap-* require line at a time, then aggregating the results
> into a single return value.
>
> I've seen some pretty subtle tricks from all of you--I'm hoping that someone
> out there has a better option than building up a new provider.
>

This comes for free in trunk. I'd review a 2.2.x  patch that just
changed the way the loop operates to respect an "AND" flag -- my guess
is that it is not very hard but I am too swamped to play with it

The caveat for the doc would would be that it only made sense in an
all ldap-* configuration.

This AND behavior for LDAP authz is frequently requested.


-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org