Return-Path: 
 <users-return-90888-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: (qmail 64035 invoked from network); 2 Oct 2009 15:05:33 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 2 Oct 2009 15:05:33 -0000
Received: (qmail 91897 invoked by uid 500); 2 Oct 2009 15:05:30 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 91872 invoked by uid 500); 2 Oct 2009 15:05:30 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 91863 invoked by uid 99); 2 Oct 2009 15:05:30 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Oct 2009 15:05:30 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of covener@gmail.com designates
 209.85.218.208 as permitted sender)
Received: from [209.85.218.208] (HELO mail-bw0-f208.google.com)
 (209.85.218.208)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Oct 2009 15:05:21 +0000
Received: by bwz4 with SMTP id 4so1095308bwz.24
        for <users@httpd.apache.org>; Fri, 02 Oct 2009 08:05:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=gamma;
        h=domainkey-signature:mime-version:received:in-reply-to:references
         :date:message-id:subject:from:to:content-type
         :content-transfer-encoding;
        bh=Y/8dFK8lUcWjP4M69LD4FP2cMBVc9nOINfHV9bm4zco=;
        b=PIJ4vvuW5LoB3h7wWVDrmc2KJjiBKQEG6pdV0BMDy/s1mcXG+Kbtk2Ao7wY7fn04Oy
         plRSfymGmu97as6WTdf4CDn94dWgH9S5oIbEqkLm3L0l6kYsqQ2S1fjDPNw3Umd/97XW
         emaiOJ3DyVW6ogvDygFLK3nXaZg/H3CeD9OI8=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type:content-transfer-encoding;
        b=T7q6FomKtrnn3SPkB1ii9whgtcWGHd31aFDYlTNj9SzmZ5qw4qn2xsjqB/p4vnrZbe
         MJQMl9SRrPYcl9fXFl3X3uMAiADpXQ88WSzGt+wQGLQOL7tTdcnf7sBfT3i0K+XPzM60
         qtj2zc3LZlrlLoWBTCFVc8A0GG814Z5t2Ojjs=
MIME-Version: 1.0
Received: by 10.223.143.79 with SMTP id t15mr1095328fau.2.1254495900177; Fri,
	02 Oct 2009 08:05:00 -0700 (PDT)
In-Reply-To: <4AC5F45F.50807@ofd-sth.niedersachsen.de>
References: 
 <BA93D6382397BB4D812580F1AB75B99B03BBD69C@xmb-rtp-215.amer.cisco.com>
	 <1254472558.54871.16.camel@strangepork.london.mintel.ad>
	 <4AC5F45F.50807@ofd-sth.niedersachsen.de>
Date: Fri, 2 Oct 2009 11:05:00 -0400
Message-ID: <1404e5910910020805m5285334fk935a67d5ab502126@mail.gmail.com>
From: Eric Covener <covener@gmail.com>
To: users@httpd.apache.org
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Virus-Checked: Checked by ClamAV on apache.org
Subject: Re: [users@httpd] group authorization via LDAP

On Fri, Oct 2, 2009 at 8:38 AM, Marc Patermann
<hans.moser@ofd-sth.niedersachsen.de> wrote:
> Hi,
>
> Tom Evans schrieb:
>>
>> On Thu, 2009-10-01 at 17:18 -0400, Tony Rice (trice) wrote:
>
>> This is how we do it:
>> [...]
>> AuthzLDAPAuthoritative "On"
>> Require valid-user
>> Require ldap-group cn=3DDepartment,ou=3DGroups,o=3DCompany
>
> Does this work?
> When I read the docs:
> "Require valid-user
> If this directive exists, mod_authnz_ldap grants access to any user that =
has
> successfully authenticated during the search/bind phase."
> and:
> "Other Require values may also be used which may require loading addition=
al
> authorization modules. Note that if you use a Require =A0value from anoth=
er
> authorization module, you will need to ensure that AuthzLDAPAuthoritative
> =A0is set to off to allow the authorization phase to fall back to the mod=
ule
> providing the alternate Require value."
> -> http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html
>

> This seems to me like either "Require valid-user" is not working at all -
> because AuthzLDAPAuthoritative is "On" - or it overrules any ldap-group
> setting. Hm!?

The doc is poor in this regard.  mod_authnz_ldap does not handle
"valid-user", it allows another module to handle it [if the request
gets that far].  This is why the AuthzLDAPAuthoritiative does not
apply to the "Require valid-user", and this quoted config boils down
to the same as if you'd removed the first two quoted directives
[IIUC].


--=20
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org