httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Arnaud Lesueur" <arnaud.lesu...@gmail.com>
Subject [users@httpd] Apache 2.2.8 + mod_authnz_ldap + mod_header/env variables
Date Mon, 19 May 2008 14:55:02 GMT
Hi folks,

I'm currently using mod_authnz_ldap to process authentication and
authorization on LDAP back-end on Apache 2.2.8. This part is doing
it's work

This authentication is placed in front of a mod_proxy_http in reverse
proxy mode.

I would like to pass user informations to backend applications.

In the documentation :
http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#exposed
We saw that environment variable AUTHENTICATE_* are populated with
ldap attributes.

I've successfully check this part on a local PHP application. I can
get my variable.
Now, I'd like to push thoses variables in the HTTP header using this

SetEnvIf AUTHENTICATE_MAIL (.*) MAIL=$1
RequestHeader set MAIL "%{MAIL}e
The header stills empty (not null but empty).

I've also tried with REMOTE_USER to do the same thing. This is also
not working while for REMOTE_USER is it working when using
mod_auth_basic or even with REMOTE_ADDR.

My interpretation is that my directives (SetEnvIf and RequestHeader)
are being executed before the authentication/authorization process. Is
it true ? Can we force the order ?

Or is there any other way to push REMOTE_USER / AUTHENTICATE_* in the
HTTP headers for this module ?

Here is my configuration used :

AuthLDAPURL ldap://172.30.29.8/dc=domain,dc=fr?uid,sn,cn,mail?sub?(title=UF)

AuthType Basic
AuthName "secure"
AuthBasicProvider ldap
AuthLDAPBindDN "cn=Directory Manager"
AuthLDAPBindPassword password
AuthLDAPRemoteUserIsDN on
AuthzLDAPAuthoritative on
Require ldap-group cn=mygroup,dc=domain,dc=fr

SetEnvIf REMOTE_USER (.*) USER=$1
RequestHeader set USER "%{USER}e"

SetEnvIf AUTHENTICATE_MAIL (.*) MAIL=$1
RequestHeader set MAIL "%{MAIL}e"

ProxyPass http://localhost:8080/stub/
ProxyPassReverse http://localhost:8080/stub/

Regards,

--
Arnaud Lesueur

LinkedIn: http://www.linkedin.com/in/lesueur

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message