httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Cicimov <>
Subject Re: [users@httpd] using multiple LimitExcept directives
Date Sun, 03 Mar 2013 07:46:00 GMT
On 03/03/2013 3:34 PM, "James Martin" <> wrote:
> Folks,
> I'm attempting to using multiple LimitExcept directives in one
> Location.  Basically I want to give a the "*Actor*" ldap group  GET &
> PUTT access, the "WeatherMan" ldap group only GET access, and the
> "*Actor*" ldap group PUT access.  I'm open to using either apache 2.2 or
> 2.4, as I see that apache 2.4 supports nesting of the Limit and
> LimitExcept directives.  This is what I've tried so far:

Can you please first check the above bold out groups for us? Is that
correct or one of them should be Artist instead?

> <Location "/boballcharlieputs">
>   AuthType Basic
>   AuthName "Secure Area"
>   AuthBasicProvider ldap
>    AuthLDAPURL
>   AuthLDAPBindDN uid=binder,ou=users,o=bashoproserv
>   AuthLDAPBindPassword password

> <LimitExcept GET PUT>
>     Require ldap-group cn=Actor, ou=groups, o=company
> </LimitExcept>

>From the docs:

<LimitExcept> and </LimitExcept> are used to enclose a group of access
control directives which will then apply to any HTTP access method
*not*listed in the arguments
In this context, isn't your above statement actually achieving the opposite
from what you want?

>  <LimitExcept GET>
>         Require ldap-group cn=WeatherMan, ou=groups, o=company
>  </LimitExcept>
>  <LimitExcept PUT>
>         Require ldap-group cn=Actor, ou=groups, o=company
>  </LimitExcept>
> </Location>
> In this case Apache only processes the last LimitExcept, so only
> operation that is successful is the PUT by a user in the Actor ldap
> group.
> I've also attempted to nest these statements (new feature in 2.4) and
> apache complains:
> "<LimitExcept> directive specifies methods already excluded"
> Here is that example:
> <LimitExcept GET PUT>
>     Require ldap-group cn=*Artist*, ou=groups, o=bashoproserv
>     <LimitExcept PUT>
>         Require ldap-group cn=*Actor*, ou=groups, o=bashoproserv
>     </LimitExcept>
> </LimitExcept>

So is it Actor or Artist or both??? Can't see Artist in the first example...

The docs further say:

The <Limit> and
may be nested. In this case,
*each successive level of <Limit> or
must further restrict the set of methods to which access
controls apply.*
When using <Limit> or <LimitExcept> directives with the
note that the
*first Require<>to
succeed authorizes the request, regardless of the presence of other

So, assuming GET+PUT for Artist, GET for WeatherMan and PUT for Actor, and
having the above said in mind, I would try something like this:

<Limit GET PUT>
   Require ldap-group cn=Artist, ou=groups, o=company
<Limit GET>
   Require ldap-group cn=WeatherMan, ou=groups, o=company
<Limit PUT>
   Require ldap-group cn=Actor, ou=groups, o=company

> I feel like I'm very close to getting this working, but I'm not quite
> grasping how to stack the LimitExcepts properly.
> Thanks for your help,
> James
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

View raw message