httpd-modules-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thomas, Peter" <>
Subject RE: [users@httpd] How do I require more than one Require ldap-* directive match?
Date Tue, 06 Apr 2010 17:50:52 GMT
I've looked at the mod_authnz_ldap code and the documentation.  "Out of
the box" it sems like there's no way to turn the "OR" behavior of
Require ldap-* lines into "AND."  I've been trying as hard as I can to
avoid creating not only a new provider type but also a new provider.
Unfortunately, the more I dig into mod_authnz_ldap the more it seems
like it's not quite what I need.  Is there a "right" way to do this?
One thought is creating a hook that "fakes out" check_user_access by
dynamically updating the array of requires to "present" one ldap-*
require line at a time, then aggregating the results into a single
return value.
I've seen some pretty subtle tricks from all of you--I'm hoping that
someone out there has a better option than building up a new provider.

From: Thomas, Peter [] 
Sent: Tuesday, April 06, 2010 1:26 PM
Subject: [users@httpd] How do I require more than one Require ldap-*
directive match?

	How do I configure mod_authnz_ldap to require that I meet
multiple authorization conditions [i.e. user must be a member of an LDAP
group AND also posses one or more attributes].  As it is, the code
returns "OK" as soon as the first "Require ldap-*" directive succeeds,
short-circuiting subsequent require directives.

	If I only had to match on attributes, I could use a Require
llda-filter directive, but needing to search for both a group and an
attribute stops me cold.


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message