httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "J.Lance Wilkinson" <>
Subject [users@httpd] Dynamic selection of mod_authnz_ldap's 'require ldap-group' object?
Date Thu, 23 Feb 2012 18:48:17 GMT
I've just been asked to implement in Apache HTTPD a restricted access area
that drives off membership in an LDAP group.

I have production services running on Solaris 10 using Apache/2.2.6. 
Eventually these will be replaced with servers running on RHEL 6 using 
Apache/2.2.15, but that's not likely to be availble before mid-year, while this 
need to control access to some directories by LDAP group membership exists NOW.

I already have this kind of setup that allows me to simplify my access control:

     <Location ~ "^/(.*)/intranet(.html|/(.*)?)$">
      CosignProtected On
      AuthType Cosign
      AuthLDAPURL ldap://a.b.c.d/ou=People,dc=c,dc=d
      AuthLDAPBindDN "uid=FullAccess,ou=bindings,dc=c,dc=d"
      AuthLDAPBindPassword "password56789"
      require ldap-filter uid=*
      Order allow,deny
      Allow from all

Any request that ends with "/intranet.html" or contains "/intranet/" in the 
path has our single signon solution Cosign forced upon it.  This forces any 
attempted access to any path containing "intranet" to provide credentials 
authenticated by the institution as a whole.

Further, it then enforces that the authenticated User ID be found matching a 
uid entry in an LDAP server.

Now I know that I can restrict a given explicit path to a specific LDAP group,
but as the feature becomes more widely recognized by my website authors, I can 
see departments left and right asking for the feature, and I don't want to be 
writing a new custom stanza for each department every week or so.  I'd like to 
make it dynamic, so one stanza will cover the current need and all similar 
needs in the future just by creating the a new directory that matches the 
LOCATION pattern:

     <Location ~ "^/(.*)/restricted(.html|/(.*)?)$">
      CosignProtected On
      AuthType Cosign
      AuthLDAPURL ldap://a.b.c.d/ou=People,dc=c,dc=d
      AuthLDAPBindDN "uid=FullAccess,ou=bindings,dc=c,dc=d"
      AuthLDAPBindPassword "password56789"
##  somehow get the value for the group from the URI supplied
      require ldap-group cn=A.DYNAMICALLY.IDENTIFIED.LDAP.GROUP
      Order allow,deny
      Allow from all

Where the LDAP group required is driven by something in the URI.    What's
desired is a way to caputre the desired LDAP GROUP from the URI, so all the 
website authors need to do is to create content with a path that contains 
"/restricted/THIS.LDAP.GROUP/", and then USE that piece of the URI as the group 
to require.

I'm presuming that there's some way, using a mod_rewrite rule, to extract the 
desired information from the URI and stash it, say, in an environment variable. 
  The task then is to somehow use that extracted value to impose the 
appropriate restrictions in the require directive.  Thus, website authors 
create a directory path 
..../restricted/THIS.LDAP.GROUP/ and the 
required group would automatically be cn=THIS.LDAP.GROUP for that directory and 

Is there any way to do this without having to rewrite or add on to 
mod_authnz_ldap ?  Maybe some way to inject the desired group into the 
ldap-filter format of the require directive?

J.Lance Wilkinson ("Lance")		InterNet:
Systems Design Specialist - Lead	Phone: (814) 865-4870
Digital Library Technologies		FAX:   (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message