You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by James Martin <ja...@gmail.com> on 2013/03/03 05:33:42 UTC
[users@httpd] using multiple LimitExcept directives
Folks,
I'm attempting to using multiple LimitExcept directives in one
Location. Basically I want to give a the "Actor" ldap group GET &
PUTT access, the "WeatherMan" ldap group only GET access, and the
"Actor" ldap group PUT access. I'm open to using either apache 2.2 or
2.4, as I see that apache 2.4 supports nesting of the Limit and
LimitExcept directives. This is what I've tried so far:
<Location "/boballcharlieputs">
AuthType Basic
AuthName "Secure Area"
AuthBasicProvider ldap
AuthLDAPURL "ldap://localhost:10389/ou=users,o=company?uid"
AuthLDAPBindDN uid=binder,ou=users,o=bashoproserv
AuthLDAPBindPassword password
<LimitExcept GET PUT>
Require ldap-group cn=Actor, ou=groups, o=company
</LimitExcept>
<LimitExcept GET>
Require ldap-group cn=WeatherMan, ou=groups, o=company
</LimitExcept>
<LimitExcept PUT>
Require ldap-group cn=Actor, ou=groups, o=company
</LimitExcept>
</Location>
In this case Apache only processes the last LimitExcept, so only
operation that is successful is the PUT by a user in the Actor ldap
group.
I've also attempted to nest these statements (new feature in 2.4) and
apache complains:
"<LimitExcept> directive specifies methods already excluded"
Here is that example:
<LimitExcept GET PUT>
Require ldap-group cn=Artist, ou=groups, o=bashoproserv
<LimitExcept PUT>
Require ldap-group cn=Actor, ou=groups, o=bashoproserv
</LimitExcept>
</LimitExcept>
I feel like I'm very close to getting this working, but I'm not quite
grasping how to stack the LimitExcepts properly.
Thanks for your help,
James
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] using multiple LimitExcept directives
Posted by James Martin <ja...@gmail.com>.
On Sun, Mar 3, 2013 at 4:08 PM, Igor Cicimov <ic...@gmail.com> wrote:
>
> On 04/03/2013 3:36 AM, "James Martin" <ja...@gmail.com> wrote:
>>
>> On Sun, Mar 3, 2013 at 2:46 AM, Igor Cicimov <ic...@gmail.com> wrote:
>> >
>> > On 03/03/2013 3:34 PM, "James Martin" <ja...@gmail.com> wrote:
>> >>
>> >> Folks,
>> >>
>> >> I'm attempting to using multiple LimitExcept directives in one
>> >> Location. Basically I want to give a the "Actor" ldap group GET &
>> >> PUTT access, the "WeatherMan" ldap group only GET access, and the
>> >> "Actor" ldap group PUT access. I'm open to using either apache 2.2 or
>> >> 2.4, as I see that apache 2.4 supports nesting of the Limit and
>> >> LimitExcept directives. This is what I've tried so far:
>> >>
>> >
>> > Can you please first check the above bold out groups for us? Is that
>> > correct
>> > or one of them should be Artist instead?
>> >
>>
>> I realize there was a typo there, sorry about that. I said Actor
>> twice. The groups should be Artist, Actor, and WeatherMan Here's the
>> proper text:
>>
>> Basically I want to give a the "Artist" ldap group GET & PUT access,
>> the "WeatherMan" ldap group only GET access, and the "Actor" ldap
>> group PUT access. I'm open to using either apache 2.2 or 2.4, as I
>> see that apache 2.4 supports nesting of the Limit and LimitExcept
>> directives. This is what I've tried so far:
>>
>> <Location>
>> <LimitExcept GET PUT>
>> Require ldap-group cn=Artist, ou=groups, o=company
>> </LimitExcept>
>> <LimitExcept GET>
>> Require ldap-group cn=WeatherMan, ou=groups, o=company
>> </LimitExcept>
>> <LimitExcept PUT>
>> Require ldap-group cn=Actor, ou=groups, o=company
>> </LimitExcept>
>> </Location>
>>
>> >>
>> >> <Location "/boballcharlieputs">
>> >> AuthType Basic
>> >> AuthName "Secure Area"
>> >> AuthBasicProvider ldap
>> >> AuthLDAPURL
>> >> "ldap://localhost:10389/ou=users,o=company?uid"
>> >> AuthLDAPBindDN uid=binder,ou=users,o=bashoproserv
>> >> AuthLDAPBindPassword password
>> >
>> >
>> >> <LimitExcept GET PUT>
>> >> Require ldap-group cn=Actor, ou=groups, o=company
>> >> </LimitExcept>
>> >
>> > From the docs:
>> >
>> > <LimitExcept> and </LimitExcept> are used to enclose a group of access
>> > control directives which will then apply to any HTTP access method not
>> > listed in the arguments
>> >
>>
>> It is my understanding that if you have GET PUT within LimitExcept
>> then you are limiting all operations *except* GET & PUT.
>>
>>
>> > In this context, isn't your above statement actually achieving the
>> > opposite
>> > from what you want?
>> >
>> >> <LimitExcept GET>
>> >> Require ldap-group cn=WeatherMan, ou=groups, o=company
>> >> </LimitExcept>
>> >> <LimitExcept PUT>
>> >> Require ldap-group cn=Actor, ou=groups, o=company
>> >> </LimitExcept>
>> >> </Location>
>> >>
>> >> In this case Apache only processes the last LimitExcept, so only
>> >> operation that is successful is the PUT by a user in the Actor ldap
>> >> group.
>> >>
>> >>
>> >> I've also attempted to nest these statements (new feature in 2.4) and
>> >> apache complains:
>> >>
>> >> "<LimitExcept> directive specifies methods already excluded"
>> >>
>> >> Here is that example:
>> >>
>> >> <LimitExcept GET PUT>
>> >> Require ldap-group cn=Artist, ou=groups, o=bashoproserv
>> >> <LimitExcept PUT>
>> >> Require ldap-group cn=Actor, ou=groups, o=bashoproserv
>> >> </LimitExcept>
>> >> </LimitExcept>
>> >>
>> >
>> > So is it Actor or Artist or both??? Can't see Artist in the first
>> > example...
>> >
>> > The docs further say:
>> >
>> > The <Limit> and <LimitExcept> directives may be nested. In this case,
>> > each
>> > successive level of <Limit> or <LimitExcept> directives must further
>> > restrict the set of methods to which access controls apply.
>> >
>> > When using <Limit> or <LimitExcept> directives with the Require
>> > directive,
>> > note that the first Require to succeed authorizes the request,
>> > regardless of
>> > the presence of other Require directives.
>> >
>> > So, assuming GET+PUT for Artist, GET for WeatherMan and PUT for Actor,
>> > and
>> > having the above said in mind, I would try something like this:
>> >
>> >
>> > <Limit GET PUT>
>> > Require ldap-group cn=Artist, ou=groups, o=company
>> > </Limit>
>> > <Limit GET>
>> >
>> > Require ldap-group cn=WeatherMan, ou=groups, o=company
>> > </Limit>
>> > <Limit PUT>
>> >
>> > Require ldap-group cn=Actor, ou=groups, o=company
>> > </Limit>
>> >
>>
>> I attempted your method and it *does* seem to work as I wanted
>> (thanks!); however, my concern is as per the docs:
>>
>> """
>> The following example applies the access control only to the methods
>> POST, PUT, and DELETE, leaving all other methods unprotected:
>>
>> <Limit POST PUT DELETE>
>> Require valid-user
>> </Limit>
>> """
>>
>> To me that means that GET, CONNECT, OPTIONS, PATCH, PROPFIND,
>> PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK are not restricted at
>> all.
> Correct since those 3 are important ones so you need only some users to
> access them and you dont care about the other methods. Why else would you
> use limit then with Require? By default ALL methods are unprotected. So in
> your case you dont need to give Artist GET access to anything, he already
> has it! The point is to allow access to that user ONLY and thats where Limit
> and Require come into play.
>
>>
>> It also mentions
>>
>> """
>> A <LimitExcept> section should always be used in preference to a
>> <Limit> section when restricting access, since a <LimitExcept> section
>> provides protection against arbitrary methods.
>> """
>>
> Correct BUT only if it matches your user case. Does it???
> Nothing wrong with using Limit if you know exactly what you are doing.
>
>> Perhaps I need to combine the Limit with a LimitExcept so catch all of
>> the other methods not defined?
>>
> Sure go on and try it. Im only giving you some pointers hope you'll come up
> with the solution that suits you your self.
>
Just a follow up, I was able to get what I wanted with this approach.
Hopefully someone else can find this information useful. Thanks for
your pointers, they definitely helped!
#this stanza allows only folks belonging to the "Admin" group to put
#and get into /protected
<Location "/protected">
<Limit GET PUT>
Require ldap-group cn=Admin, ou=groups, o=company
</Limit>
#the following prevents all other methods to the location
<LimitExcept GET PUT>
Order Allow,Deny
Deny from all
</LimitExcept>
</Location>
#The following stanza controls access to the /protected/boballcharlieputs
# location
# Someone from the Artist group can get and put
# Someone from the WeatherMan group can only get
# Someone from the Actor group can only put
<Location "/protected/boballcharlieputs">
<Limit GET>
Require ldap-group cn=WeatherMan, ou=groups, o=company
Require ldap-group cn=Artist, ou=groups, o=company
</Limit>
<Limit PUT>
Require ldap-group cn=Artist, ou=groups, o=company
Require ldap-group cn=Actor, ou=groups, o=company
</Limit>
#The following blocks all other HTTP methods to the location
<LimitExcept GET PUT>
Order Allow,Deny
Deny from all
</LimitExcept>
</Location>
Thanks again,
James
>> Thanks,
>>
>> - James
>>
>>
>> >> I feel like I'm very close to getting this working, but I'm not quite
>> >> grasping how to stack the LimitExcepts properly.
>> >>
>> >> Thanks for your help,
>> >>
>> >>
>> >> James
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> >> For additional commands, e-mail: users-help@httpd.apache.org
>> >>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] using multiple LimitExcept directives
Posted by Igor Cicimov <ic...@gmail.com>.
On 04/03/2013 3:36 AM, "James Martin" <ja...@gmail.com> wrote:
>
> On Sun, Mar 3, 2013 at 2:46 AM, Igor Cicimov <ic...@gmail.com> wrote:
> >
> > On 03/03/2013 3:34 PM, "James Martin" <ja...@gmail.com> wrote:
> >>
> >> Folks,
> >>
> >> I'm attempting to using multiple LimitExcept directives in one
> >> Location. Basically I want to give a the "Actor" ldap group GET &
> >> PUTT access, the "WeatherMan" ldap group only GET access, and the
> >> "Actor" ldap group PUT access. I'm open to using either apache 2.2 or
> >> 2.4, as I see that apache 2.4 supports nesting of the Limit and
> >> LimitExcept directives. This is what I've tried so far:
> >>
> >
> > Can you please first check the above bold out groups for us? Is that
correct
> > or one of them should be Artist instead?
> >
>
> I realize there was a typo there, sorry about that. I said Actor
> twice. The groups should be Artist, Actor, and WeatherMan Here's the
> proper text:
>
> Basically I want to give a the "Artist" ldap group GET & PUT access,
> the "WeatherMan" ldap group only GET access, and the "Actor" ldap
> group PUT access. I'm open to using either apache 2.2 or 2.4, as I
> see that apache 2.4 supports nesting of the Limit and LimitExcept
> directives. This is what I've tried so far:
>
> <Location>
> <LimitExcept GET PUT>
> Require ldap-group cn=Artist, ou=groups, o=company
> </LimitExcept>
> <LimitExcept GET>
> Require ldap-group cn=WeatherMan, ou=groups, o=company
> </LimitExcept>
> <LimitExcept PUT>
> Require ldap-group cn=Actor, ou=groups, o=company
> </LimitExcept>
> </Location>
>
> >>
> >> <Location "/boballcharlieputs">
> >> AuthType Basic
> >> AuthName "Secure Area"
> >> AuthBasicProvider ldap
> >> AuthLDAPURL
> >> "ldap://localhost:10389/ou=users,o=company?uid"
> >> AuthLDAPBindDN uid=binder,ou=users,o=bashoproserv
> >> AuthLDAPBindPassword password
> >
> >
> >> <LimitExcept GET PUT>
> >> Require ldap-group cn=Actor, ou=groups, o=company
> >> </LimitExcept>
> >
> > From the docs:
> >
> > <LimitExcept> and </LimitExcept> are used to enclose a group of access
> > control directives which will then apply to any HTTP access method not
> > listed in the arguments
> >
>
> It is my understanding that if you have GET PUT within LimitExcept
> then you are limiting all operations *except* GET & PUT.
>
>
> > In this context, isn't your above statement actually achieving the
opposite
> > from what you want?
> >
> >> <LimitExcept GET>
> >> Require ldap-group cn=WeatherMan, ou=groups, o=company
> >> </LimitExcept>
> >> <LimitExcept PUT>
> >> Require ldap-group cn=Actor, ou=groups, o=company
> >> </LimitExcept>
> >> </Location>
> >>
> >> In this case Apache only processes the last LimitExcept, so only
> >> operation that is successful is the PUT by a user in the Actor ldap
> >> group.
> >>
> >>
> >> I've also attempted to nest these statements (new feature in 2.4) and
> >> apache complains:
> >>
> >> "<LimitExcept> directive specifies methods already excluded"
> >>
> >> Here is that example:
> >>
> >> <LimitExcept GET PUT>
> >> Require ldap-group cn=Artist, ou=groups, o=bashoproserv
> >> <LimitExcept PUT>
> >> Require ldap-group cn=Actor, ou=groups, o=bashoproserv
> >> </LimitExcept>
> >> </LimitExcept>
> >>
> >
> > So is it Actor or Artist or both??? Can't see Artist in the first
example...
> >
> > The docs further say:
> >
> > The <Limit> and <LimitExcept> directives may be nested. In this case,
each
> > successive level of <Limit> or <LimitExcept> directives must further
> > restrict the set of methods to which access controls apply.
> >
> > When using <Limit> or <LimitExcept> directives with the Require
directive,
> > note that the first Require to succeed authorizes the request,
regardless of
> > the presence of other Require directives.
> >
> > So, assuming GET+PUT for Artist, GET for WeatherMan and PUT for Actor,
and
> > having the above said in mind, I would try something like this:
> >
> >
> > <Limit GET PUT>
> > Require ldap-group cn=Artist, ou=groups, o=company
> > </Limit>
> > <Limit GET>
> >
> > Require ldap-group cn=WeatherMan, ou=groups, o=company
> > </Limit>
> > <Limit PUT>
> >
> > Require ldap-group cn=Actor, ou=groups, o=company
> > </Limit>
> >
>
> I attempted your method and it *does* seem to work as I wanted
> (thanks!); however, my concern is as per the docs:
>
> """
> The following example applies the access control only to the methods
> POST, PUT, and DELETE, leaving all other methods unprotected:
>
> <Limit POST PUT DELETE>
> Require valid-user
> </Limit>
> """
>
> To me that means that GET, CONNECT, OPTIONS, PATCH, PROPFIND,
> PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK are not restricted at
> all.
Correct since those 3 are important ones so you need only some users to
access them and you dont care about the other methods. Why else would you
use limit then with Require? By default ALL methods are unprotected. So in
your case you dont need to give Artist GET access to anything, he already
has it! The point is to allow access to that user ONLY and thats where
Limit and Require come into play.
>
> It also mentions
>
> """
> A <LimitExcept> section should always be used in preference to a
> <Limit> section when restricting access, since a <LimitExcept> section
> provides protection against arbitrary methods.
> """
>
Correct BUT only if it matches your user case. Does it???
Nothing wrong with using Limit if you know exactly what you are doing.
> Perhaps I need to combine the Limit with a LimitExcept so catch all of
> the other methods not defined?
>
Sure go on and try it. Im only giving you some pointers hope you'll come up
with the solution that suits you your self.
> Thanks,
>
> - James
>
>
> >> I feel like I'm very close to getting this working, but I'm not quite
> >> grasping how to stack the LimitExcepts properly.
> >>
> >> Thanks for your help,
> >>
> >>
> >> James
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >> For additional commands, e-mail: users-help@httpd.apache.org
> >>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
Re: [users@httpd] using multiple LimitExcept directives
Posted by James Martin <ja...@gmail.com>.
On Sun, Mar 3, 2013 at 2:46 AM, Igor Cicimov <ic...@gmail.com> wrote:
>
> On 03/03/2013 3:34 PM, "James Martin" <ja...@gmail.com> wrote:
>>
>> Folks,
>>
>> I'm attempting to using multiple LimitExcept directives in one
>> Location. Basically I want to give a the "Actor" ldap group GET &
>> PUTT access, the "WeatherMan" ldap group only GET access, and the
>> "Actor" ldap group PUT access. I'm open to using either apache 2.2 or
>> 2.4, as I see that apache 2.4 supports nesting of the Limit and
>> LimitExcept directives. This is what I've tried so far:
>>
>
> Can you please first check the above bold out groups for us? Is that correct
> or one of them should be Artist instead?
>
I realize there was a typo there, sorry about that. I said Actor
twice. The groups should be Artist, Actor, and WeatherMan Here's the
proper text:
Basically I want to give a the "Artist" ldap group GET & PUT access,
the "WeatherMan" ldap group only GET access, and the "Actor" ldap
group PUT access. I'm open to using either apache 2.2 or 2.4, as I
see that apache 2.4 supports nesting of the Limit and LimitExcept
directives. This is what I've tried so far:
<Location>
<LimitExcept GET PUT>
Require ldap-group cn=Artist, ou=groups, o=company
</LimitExcept>
<LimitExcept GET>
Require ldap-group cn=WeatherMan, ou=groups, o=company
</LimitExcept>
<LimitExcept PUT>
Require ldap-group cn=Actor, ou=groups, o=company
</LimitExcept>
</Location>
>>
>> <Location "/boballcharlieputs">
>> AuthType Basic
>> AuthName "Secure Area"
>> AuthBasicProvider ldap
>> AuthLDAPURL
>> "ldap://localhost:10389/ou=users,o=company?uid"
>> AuthLDAPBindDN uid=binder,ou=users,o=bashoproserv
>> AuthLDAPBindPassword password
>
>
>> <LimitExcept GET PUT>
>> Require ldap-group cn=Actor, ou=groups, o=company
>> </LimitExcept>
>
> From the docs:
>
> <LimitExcept> and </LimitExcept> are used to enclose a group of access
> control directives which will then apply to any HTTP access method not
> listed in the arguments
>
It is my understanding that if you have GET PUT within LimitExcept
then you are limiting all operations *except* GET & PUT.
> In this context, isn't your above statement actually achieving the opposite
> from what you want?
>
>> <LimitExcept GET>
>> Require ldap-group cn=WeatherMan, ou=groups, o=company
>> </LimitExcept>
>> <LimitExcept PUT>
>> Require ldap-group cn=Actor, ou=groups, o=company
>> </LimitExcept>
>> </Location>
>>
>> In this case Apache only processes the last LimitExcept, so only
>> operation that is successful is the PUT by a user in the Actor ldap
>> group.
>>
>>
>> I've also attempted to nest these statements (new feature in 2.4) and
>> apache complains:
>>
>> "<LimitExcept> directive specifies methods already excluded"
>>
>> Here is that example:
>>
>> <LimitExcept GET PUT>
>> Require ldap-group cn=Artist, ou=groups, o=bashoproserv
>> <LimitExcept PUT>
>> Require ldap-group cn=Actor, ou=groups, o=bashoproserv
>> </LimitExcept>
>> </LimitExcept>
>>
>
> So is it Actor or Artist or both??? Can't see Artist in the first example...
>
> The docs further say:
>
> The <Limit> and <LimitExcept> directives may be nested. In this case, each
> successive level of <Limit> or <LimitExcept> directives must further
> restrict the set of methods to which access controls apply.
>
> When using <Limit> or <LimitExcept> directives with the Require directive,
> note that the first Require to succeed authorizes the request, regardless of
> the presence of other Require directives.
>
> So, assuming GET+PUT for Artist, GET for WeatherMan and PUT for Actor, and
> having the above said in mind, I would try something like this:
>
>
> <Limit GET PUT>
> Require ldap-group cn=Artist, ou=groups, o=company
> </Limit>
> <Limit GET>
>
> Require ldap-group cn=WeatherMan, ou=groups, o=company
> </Limit>
> <Limit PUT>
>
> Require ldap-group cn=Actor, ou=groups, o=company
> </Limit>
>
I attempted your method and it *does* seem to work as I wanted
(thanks!); however, my concern is as per the docs:
"""
The following example applies the access control only to the methods
POST, PUT, and DELETE, leaving all other methods unprotected:
<Limit POST PUT DELETE>
Require valid-user
</Limit>
"""
To me that means that GET, CONNECT, OPTIONS, PATCH, PROPFIND,
PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK are not restricted at
all.
It also mentions
"""
A <LimitExcept> section should always be used in preference to a
<Limit> section when restricting access, since a <LimitExcept> section
provides protection against arbitrary methods.
"""
Perhaps I need to combine the Limit with a LimitExcept so catch all of
the other methods not defined?
Thanks,
- James
>> I feel like I'm very close to getting this working, but I'm not quite
>> grasping how to stack the LimitExcepts properly.
>>
>> Thanks for your help,
>>
>>
>> James
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] using multiple LimitExcept directives
Posted by Igor Cicimov <ic...@gmail.com>.
On 03/03/2013 3:34 PM, "James Martin" <ja...@gmail.com> wrote:
>
> Folks,
>
> I'm attempting to using multiple LimitExcept directives in one
> Location. Basically I want to give a the "*Actor*" ldap group GET &
> PUTT access, the "WeatherMan" ldap group only GET access, and the
> "*Actor*" ldap group PUT access. I'm open to using either apache 2.2 or
> 2.4, as I see that apache 2.4 supports nesting of the Limit and
> LimitExcept directives. This is what I've tried so far:
>
Can you please first check the above bold out groups for us? Is that
correct or one of them should be Artist instead?
>
> <Location "/boballcharlieputs">
> AuthType Basic
> AuthName "Secure Area"
> AuthBasicProvider ldap
> AuthLDAPURL
"ldap://localhost:10389/ou=users,o=company?uid"
> AuthLDAPBindDN uid=binder,ou=users,o=bashoproserv
> AuthLDAPBindPassword password
> <LimitExcept GET PUT>
> Require ldap-group cn=Actor, ou=groups, o=company
> </LimitExcept>
>From the docs:
<LimitExcept> and </LimitExcept> are used to enclose a group of access
control directives which will then apply to any HTTP access method
*not*listed in the arguments
In this context, isn't your above statement actually achieving the opposite
from what you want?
> <LimitExcept GET>
> Require ldap-group cn=WeatherMan, ou=groups, o=company
> </LimitExcept>
> <LimitExcept PUT>
> Require ldap-group cn=Actor, ou=groups, o=company
> </LimitExcept>
> </Location>
>
> In this case Apache only processes the last LimitExcept, so only
> operation that is successful is the PUT by a user in the Actor ldap
> group.
>
>
> I've also attempted to nest these statements (new feature in 2.4) and
> apache complains:
>
> "<LimitExcept> directive specifies methods already excluded"
>
> Here is that example:
>
> <LimitExcept GET PUT>
> Require ldap-group cn=*Artist*, ou=groups, o=bashoproserv
> <LimitExcept PUT>
> Require ldap-group cn=*Actor*, ou=groups, o=bashoproserv
> </LimitExcept>
> </LimitExcept>
>
So is it Actor or Artist or both??? Can't see Artist in the first example...
The docs further say:
The <Limit> and
<LimitExcept><http://httpd.apache.org/docs/current/mod/core.html#limitexcept>directives
may be nested. In this case,
*each successive level of <Limit> or
<LimitExcept><http://httpd.apache.org/docs/current/mod/core.html#limitexcept>directives
must further restrict the set of methods to which access
controls apply.*
When using <Limit> or <LimitExcept> directives with the
Require<http://httpd.apache.org/docs/current/mod/mod_authz_core.html#require>directive,
note that the
*first Require<http://httpd.apache.org/docs/current/mod/mod_authz_core.html#require>to
succeed authorizes the request, regardless of the presence of other
Require<http://httpd.apache.org/docs/current/mod/mod_authz_core.html#require>directives.
*
So, assuming GET+PUT for Artist, GET for WeatherMan and PUT for Actor, and
having the above said in mind, I would try something like this:
<Limit GET PUT>
Require ldap-group cn=Artist, ou=groups, o=company
</Limit>
<Limit GET>
Require ldap-group cn=WeatherMan, ou=groups, o=company
</Limit>
<Limit PUT>
Require ldap-group cn=Actor, ou=groups, o=company
</Limit>
> I feel like I'm very close to getting this working, but I'm not quite
> grasping how to stack the LimitExcepts properly.
>
> Thanks for your help,
>
>
> James
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>