httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: [users@httpd] group authorization via LDAP
Date Fri, 02 Oct 2009 15:05:00 GMT
On Fri, Oct 2, 2009 at 8:38 AM, Marc Patermann
<hans.moser@ofd-sth.niedersachsen.de> wrote:
> Hi,
>
> Tom Evans schrieb:
>>
>> On Thu, 2009-10-01 at 17:18 -0400, Tony Rice (trice) wrote:
>
>> This is how we do it:
>> [...]
>> AuthzLDAPAuthoritative "On"
>> Require valid-user
>> Require ldap-group cn=Department,ou=Groups,o=Company
>
> Does this work?
> When I read the docs:
> "Require valid-user
> If this directive exists, mod_authnz_ldap grants access to any user that has
> successfully authenticated during the search/bind phase."
> and:
> "Other Require values may also be used which may require loading additional
> authorization modules. Note that if you use a Require  value from another
> authorization module, you will need to ensure that AuthzLDAPAuthoritative
>  is set to off to allow the authorization phase to fall back to the module
> providing the alternate Require value."
> -> http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html
>

> This seems to me like either "Require valid-user" is not working at all -
> because AuthzLDAPAuthoritative is "On" - or it overrules any ldap-group
> setting. Hm!?

The doc is poor in this regard.  mod_authnz_ldap does not handle
"valid-user", it allows another module to handle it [if the request
gets that far].  This is why the AuthzLDAPAuthoritiative does not
apply to the "Require valid-user", and this quoted config boils down
to the same as if you'd removed the first two quoted directives
[IIUC].


-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message