Return-Path: 
 <users-return-90885-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: (qmail 56487 invoked from network); 2 Oct 2009 14:37:24 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 2 Oct 2009 14:37:24 -0000
Received: (qmail 37545 invoked by uid 500); 2 Oct 2009 14:37:20 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 37507 invoked by uid 500); 2 Oct 2009 14:37:20 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 37498 invoked by uid 99); 2 Oct 2009 14:37:20 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Oct 2009 14:37:20 +0000
X-ASF-Spam-Status: No, hits=-4.0 required=10.0
	tests=RCVD_IN_DNSWL_MED,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of trice@cisco.com designates
 171.71.176.70 as permitted sender)
Received: from [171.71.176.70] (HELO sj-iport-1.cisco.com) (171.71.176.70)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 02 Oct 2009 14:37:08 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;
  d=cisco.com; i=trice@cisco.com; l=2140; q=dns/txt;
  s=sjiport01001; t=1254494227; x=1255703827;
  h=from:sender:reply-to:subject:date:message-id:to:cc:
   mime-version:content-transfer-encoding:content-id:
   content-description:resent-date:resent-from:resent-sender:
   resent-to:resent-cc:resent-message-id:in-reply-to:
   references:list-id:list-help:list-unsubscribe:
   list-subscribe:list-post:list-owner:list-archive;
  z=From:=20"Tony=20Rice=20(trice)"=20<trice@cisco.com>
   |Subject:=20RE:=20[users@httpd]=20group=20authorization
   =20via=20LDAP|Date:=20Fri,=202=20Oct=202009=2010:36:42=20
   -0400|Message-ID:=20<BA93D6382397BB4D812580F1AB75B99B03BB
   D874@xmb-rtp-215.amer.cisco.com>|To:=20<users@httpd.apach
   e.org>|MIME-Version:=201.0|Content-Transfer-Encoding:=20q
   uoted-printable|In-Reply-To:=20<1254472558.54871.16.camel
   @strangepork.london.mintel.ad>|References:=20=20<BA93D638
   2397BB4D812580F1AB75B99B03BBD69C@xmb-rtp-215.amer.cisco.c
   om>=20<1254472558.54871.16.camel@strangepork.london.minte
   l.ad>;
  bh=sPFA7ciMd3D84U/XMu+CcAq9n9wEkbJX6hRq/UioU0w=;
  b=YnL608KNuCs7/9DTk6lG3UoDnFRincWYc1rdzio0Och7aLqk7AnKwHXL
   ZuDQZzr/0LX3fkA5maxcWaURYruHFaSTkFNYzJ1mXfmqiPc7Nz2RGvNW2
   DB80j6O1AQ7l036tbqAmJViOswzFnwtqeg0OkekOeLNGAdjxo0SD22Kej
   s=;
Authentication-Results: sj-iport-1.cisco.com;
 dkim=pass (signature verified [TEST]) header.i=trice@cisco.com
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: ApoEAGOtxUqrR7PE/2dsb2JhbAC/fYhbAY8mBoQs
X-IronPort-AV: E=Sophos;i="4.44,494,1249257600";
   d="scan'208";a="250169636"
Received: from sj-dkim-4.cisco.com ([171.71.179.196])
  by sj-iport-1.cisco.com with ESMTP; 02 Oct 2009 14:36:46 +0000
Received: from sj-core-2.cisco.com (sj-core-2.cisco.com [171.71.177.254])
	by sj-dkim-4.cisco.com (8.12.11/8.12.11) with ESMTP id n92EakEE001572
	for <users@httpd.apache.org>; Fri, 2 Oct 2009 07:36:46 -0700
Received: from xbh-rtp-211.amer.cisco.com (xbh-rtp-211.cisco.com
 [64.102.31.102])
	by sj-core-2.cisco.com (8.13.8/8.14.3) with ESMTP id n92EahdW022190
	for <users@httpd.apache.org>; Fri, 2 Oct 2009 14:36:46 GMT
Received: from xmb-rtp-215.amer.cisco.com ([64.102.31.124]) by
 xbh-rtp-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959);
	 Fri, 2 Oct 2009 10:36:43 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Fri, 2 Oct 2009 10:36:42 -0400
Message-ID: 
 <BA93D6382397BB4D812580F1AB75B99B03BBD874@xmb-rtp-215.amer.cisco.com>
In-Reply-To: <1254472558.54871.16.camel@strangepork.london.mintel.ad>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: [users@httpd] group authorization via LDAP
Thread-Index: AcpDO3RtkKzBbRQKQmKBV4csmq78vQAMh7yw
References: 
 <BA93D6382397BB4D812580F1AB75B99B03BBD69C@xmb-rtp-215.amer.cisco.com>
 <1254472558.54871.16.camel@strangepork.london.mintel.ad>
From: "Tony Rice (trice)" <trice@cisco.com>
To: <users@httpd.apache.org>
X-OriginalArrivalTime: 02 Oct 2009 14:36:43.0988 (UTC)
 FILETIME=[C3425140:01CA436D]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=2140; t=1254494206;
 x=1255358206;
	c=relaxed/simple; s=sjdkim4002;
	h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;
	d=cisco.com; i=trice@cisco.com;
	z=From:=20=22Tony=20Rice=20(trice)=22=20<trice@cisco.com>
	|Subject:=20RE=3A=20[users@httpd]=20group=20authorization=2
	0via=20LDAP
	|Sender:=20;
	bh=sPFA7ciMd3D84U/XMu+CcAq9n9wEkbJX6hRq/UioU0w=;
	b=L8gxvTGZY2a02GNGoufhrgY6df0xK4RMoPkFQgAneVeGqgqSMEvcTQwc0I
	WdRD7eDY4nPuCSgbrqiJF2BRvbfcnvIfBArWsl3bvGXwLCbb8KAWZZhoizwl
	nzPQ5An0tz;
X-Virus-Checked: Checked by ClamAV on apache.org
Subject: RE: [users@httpd] group authorization via LDAP

Is our only choice changing all the .htaccess files with "require group
<group name>" to "require ldap-group cn=3D<group name>,ou=3Dsome long =
ldap
string" in order to make the switch group authorization via LDAP groups?

-Tony


> -----Original Message-----
> From: Tom Evans [mailto:tevans.uk@googlemail.com]
> Sent: Friday, October 02, 2009 4:36 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] group authorization via LDAP
>=20
> On Thu, 2009-10-01 at 17:18 -0400, Tony Rice (trice) wrote:
> > I'm trying to convert from DBM file based authentication and
> > authorization to LDAP based authentication and authorization in
> Apache
> > 2.2.11.
> >
> > We've already got a large number of .htaccess files with specific
> > configs for individual directories that are using "require user" and
> > "require group".  Is it possible to configure the apache server to
> allow
> > those .htaccess to continue work as expected or must we change them
> to
> > "require ldap-user" and "require ldap-group"?
> >
> > I'm digging through the mod_authnz_ldap docs but the config to
> specify
> > the base for group authorization (in my case: =
"ou=3DGroupStuff,ou=3DOur
> > Groups,dc=3DCompany,dc=3DCom") just isn't jumping out at me.
> >
>=20
> This is how we do it:
>=20
> AuthType Basic
> AuthName "Company"
> AuthBasicProvider "ldap"
> AuthLDAPURL "ldap://ldap/o=3DCompany?mail?sub?(accountActive=3DTRUE)"
> AuthLDAPBindDN "cn=3Dauthuser,ou=3DSystem Accounts,o=3DCompany"
> AuthLDAPBindPassword "authpass"
> AuthzLDAPAuthoritative "On"
> Require valid-user
> Require ldap-group cn=3DDepartment,ou=3DGroups,o=3DCompany
>=20
>=20
> Cheers
>=20
> Tom
>=20
>=20
>=20
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org