httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bruce DeYoung <>
Subject [users@httpd] ldap-attribute wildcard not working?
Date Thu, 05 Apr 2007 16:12:30 GMT

We are moving from Apache 1.3 (Solaris) to Apache 2.2.3 (Redhat).   We are 
trying to leverage the new functionality in the mod_authnz_ldap module to 
authenticate/authorize users visting our support site.

I have the authentication piece working and am now trying to authorize 
access to certain directories using ldap-attribute.

We have an attribute in our LDAP directory called "groupmembership". Due 
to some issues in our back-end Notes/Domino database, values for 
groupmembership are like "Employee 1", "Employee 2", "Employee 3", 
etc.....but each of these is essentially the same, i.e a member of the 
"Employee" group. 

So, if I have content that I want to secure to members of the "Employee" 
group, I was hoping to use a wildcard like:

require ldap-attribute groupmembership=Employee*

But this is not working.  In fact, there's not even an error in the log 

Here's the conf file for my test site:

<Directory "/var/www/support-dev2">
#    Options Indexes
#    AllowOverride None
#    Order allow,deny
#    Allow from all
    AuthType Basic
    AuthBasicProvider ldap
    AuthzLDAPAuthoritative on
    AuthName "Please enter your webaccount username and password:"
    AuthLDAPURL ldap://
    require ldap-attribute groupmembership=Employee*
#    require valid-user
    AuthLDAPBindDN "cn=Domino Ldap,o=QADWEB"
    AuthLDAPBindPassword Dom!no7d@p

If I change ldap-attribute to the following:

require ldap-attribute groupmembership="Employee 6"

it works for any account which specifically has "Employee 6" as a value 
for the "groupmembership" field.

But using the wildcard "Employee*" or simply Employee* (no quotes), does 
not work.

Can someone set me straight?  What am I doing wrong?   Is there a 
limitation of the wildcard character that I'm not aware of?


View raw message