Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id E26AE9CF6 for ; Thu, 23 Feb 2012 18:48:49 +0000 (UTC) Received: (qmail 79592 invoked by uid 500); 23 Feb 2012 18:48:47 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 79515 invoked by uid 500); 23 Feb 2012 18:48:47 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 79505 invoked by uid 99); 23 Feb 2012 18:48:46 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 23 Feb 2012 18:48:46 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: local policy) Received: from [146.186.149.142] (HELO tr21g12.aset.psu.edu) (146.186.149.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 23 Feb 2012 18:48:41 +0000 Received: from [128.118.15.9] (perdita.dlt.psu.edu [128.118.15.9]) by tr21g12.aset.psu.edu (8.14.3/8.14.3) with ESMTP id q1NImIfL3178720; Thu, 23 Feb 2012 13:48:18 -0500 Message-ID: <4F4689F1.2060203@psu.edu> Date: Thu, 23 Feb 2012 13:48:17 -0500 From: "J.Lance Wilkinson" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.21) Gecko/20090302 Thunderbird/2.0.0.21 Mnenhy/0.7.6.666 MIME-Version: 1.0 To: users@httpd.apache.org CC: jlw12@psu.edu References: <4F286C9F.3060102@rowe-clan.net> In-Reply-To: <4F286C9F.3060102@rowe-clan.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by amavisd-new Subject: [users@httpd] Dynamic selection of mod_authnz_ldap's 'require ldap-group' object? I've just been asked to implement in Apache HTTPD a restricted access area that drives off membership in an LDAP group. I have production services running on Solaris 10 using Apache/2.2.6. Eventually these will be replaced with servers running on RHEL 6 using Apache/2.2.15, but that's not likely to be availble before mid-year, while this need to control access to some directories by LDAP group membership exists NOW. I already have this kind of setup that allows me to simplify my access control: CosignProtected On AuthType Cosign AuthLDAPURL ldap://a.b.c.d/ou=People,dc=c,dc=d AuthLDAPBindDN "uid=FullAccess,ou=bindings,dc=c,dc=d" AuthLDAPBindPassword "password56789" require ldap-filter uid=* Order allow,deny Allow from all Any request that ends with "/intranet.html" or contains "/intranet/" in the path has our single signon solution Cosign forced upon it. This forces any attempted access to any path containing "intranet" to provide credentials authenticated by the institution as a whole. Further, it then enforces that the authenticated User ID be found matching a uid entry in an LDAP server. Now I know that I can restrict a given explicit path to a specific LDAP group, but as the feature becomes more widely recognized by my website authors, I can see departments left and right asking for the feature, and I don't want to be writing a new custom stanza for each department every week or so. I'd like to make it dynamic, so one stanza will cover the current need and all similar needs in the future just by creating the a new directory that matches the LOCATION pattern: CosignProtected On AuthType Cosign AuthLDAPURL ldap://a.b.c.d/ou=People,dc=c,dc=d AuthLDAPBindDN "uid=FullAccess,ou=bindings,dc=c,dc=d" AuthLDAPBindPassword "password56789" ## somehow get the value for the group from the URI supplied require ldap-group cn=A.DYNAMICALLY.IDENTIFIED.LDAP.GROUP Order allow,deny Allow from all Where the LDAP group required is driven by something in the URI. What's desired is a way to caputre the desired LDAP GROUP from the URI, so all the website authors need to do is to create content with a path that contains "/restricted/THIS.LDAP.GROUP/", and then USE that piece of the URI as the group to require. I'm presuming that there's some way, using a mod_rewrite rule, to extract the desired information from the URI and stash it, say, in an environment variable. The task then is to somehow use that extracted value to impose the appropriate restrictions in the require directive. Thus, website authors create a directory path ..../restricted/THIS.LDAP.GROUP/content.that.is.restricted.html and the required group would automatically be cn=THIS.LDAP.GROUP for that directory and below. Is there any way to do this without having to rewrite or add on to mod_authnz_ldap ? Maybe some way to inject the desired group into the ldap-filter format of the require directive? -- J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu Systems Design Specialist - Lead Phone: (814) 865-4870 Digital Library Technologies FAX: (814) 863-3560 E3 Paterno Library Penn State University University Park, PA 16802 --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org