httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "J.Lance Wilkinson" <>
Subject Re: [users@httpd] Dynamic selection of mod_authnz_ldap's 'require ldap-group' object?
Date Wed, 21 Mar 2012 12:49:09 GMT
I don't believe I ever got a reply to this, so since it's been a month I'll
repeat it...

	the story so far:  I have a need to be able to parse into an
	environment variable (using Rewrite rules or some such) a value
	that then can be used in a *require* directive like

		require ldap-group	
	or	require ldap-filter

	Using Apache v2.2.6 on Solaris 10, Apache 2.2.15 on Linux RHEL 6,
	pretty much the same Apache configurations on both.

	Is this something possible NOW using stock modules, or is this
	something that I will have with Apache 2.4 and its stock modules,
	or is this something I would need to implement new or modified
	code to achieve?

Eric Covener wrote:
> LDAP attributes can be loaded into AUTHENTICATE_* vars and can be
> queried, but you might not be able to express the rules you need using
> attributes only.

	Not sure exactly what you're saying here...  "AUTHENTICATE_* vars"
	are those environment variables or something?  I've never seen them
	in the environment presented to a CGI script or a PHP script.  Are
	they environment variables that can be used in other Apache directives?
	As I currently use things like %{REQUEST_URI} in a rewrite rule or
	rewrite condition?   If that's the case, what gets substituted for
	the "*"?  Is it AUTHENTICATE_attribute like AUTHENTICATE_UID or
	AUTHENTICATE_MAIL, substituting LDAP attributes for the wildcard,
	or is there some specific vocabulary of substitutions for the
	wildcard?  Is there a listing or documentation someplace that
	specifically addresses this that I've missed?

> Some directory servers allow group membership to be read as a "magic"
> attribute in LDAP.  Notably, tivoli directory server allows an
> ibm-allGroups element to be used (result only, not filtered on) which
> you could them find a way to check more dynamically (setenvif, allow
> from env=...).

	I think we may be using those features on our university-wide
	LDAP server here, but not in that manner.  I have used at least one
	ibm-* attribute in other capacities, but with custom developed
	code in a CGI script, not at the Apache authentication/authorization

J.Lance Wilkinson ("Lance")		InterNet:
Systems Design Specialist - Lead	Phone: (814) 865-4870
Digital Library Technologies		FAX:   (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message