httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Cicimov <icici...@gmail.com>
Subject Re: [users@httpd] using multiple LimitExcept directives
Date Sun, 03 Mar 2013 07:46:00 GMT
On 03/03/2013 3:34 PM, "James Martin" <james.s.martin@gmail.com> wrote:
>
> Folks,
>
> I'm attempting to using multiple LimitExcept directives in one
> Location.  Basically I want to give a the "*Actor*" ldap group  GET &
> PUTT access, the "WeatherMan" ldap group only GET access, and the
> "*Actor*" ldap group PUT access.  I'm open to using either apache 2.2 or
> 2.4, as I see that apache 2.4 supports nesting of the Limit and
> LimitExcept directives.  This is what I've tried so far:
>

Can you please first check the above bold out groups for us? Is that
correct or one of them should be Artist instead?

>
> <Location "/boballcharlieputs">
>   AuthType Basic
>   AuthName "Secure Area"
>   AuthBasicProvider ldap
>    AuthLDAPURL
 "ldap://localhost:10389/ou=users,o=company?uid"
>   AuthLDAPBindDN uid=binder,ou=users,o=bashoproserv
>   AuthLDAPBindPassword password


> <LimitExcept GET PUT>
>     Require ldap-group cn=Actor, ou=groups, o=company
> </LimitExcept>

>From the docs:

<LimitExcept> and </LimitExcept> are used to enclose a group of access
control directives which will then apply to any HTTP access method
*not*listed in the arguments
In this context, isn't your above statement actually achieving the opposite
from what you want?

>  <LimitExcept GET>
>         Require ldap-group cn=WeatherMan, ou=groups, o=company
>  </LimitExcept>
>  <LimitExcept PUT>
>         Require ldap-group cn=Actor, ou=groups, o=company
>  </LimitExcept>
> </Location>
>
> In this case Apache only processes the last LimitExcept, so only
> operation that is successful is the PUT by a user in the Actor ldap
> group.
>
>
> I've also attempted to nest these statements (new feature in 2.4) and
> apache complains:
>
> "<LimitExcept> directive specifies methods already excluded"
>
> Here is that example:
>
> <LimitExcept GET PUT>
>     Require ldap-group cn=*Artist*, ou=groups, o=bashoproserv
>     <LimitExcept PUT>
>         Require ldap-group cn=*Actor*, ou=groups, o=bashoproserv
>     </LimitExcept>
> </LimitExcept>
>

So is it Actor or Artist or both??? Can't see Artist in the first example...

The docs further say:

The <Limit> and
<LimitExcept><http://httpd.apache.org/docs/current/mod/core.html#limitexcept>directives
may be nested. In this case,
*each successive level of <Limit> or
<LimitExcept><http://httpd.apache.org/docs/current/mod/core.html#limitexcept>directives
must further restrict the set of methods to which access
controls apply.*
When using <Limit> or <LimitExcept> directives with the
Require<http://httpd.apache.org/docs/current/mod/mod_authz_core.html#require>directive,
note that the
*first Require<http://httpd.apache.org/docs/current/mod/mod_authz_core.html#require>to
succeed authorizes the request, regardless of the presence of other
Require<http://httpd.apache.org/docs/current/mod/mod_authz_core.html#require>directives.
*

So, assuming GET+PUT for Artist, GET for WeatherMan and PUT for Actor, and
having the above said in mind, I would try something like this:

<Limit GET PUT>
   Require ldap-group cn=Artist, ou=groups, o=company
</Limit>
<Limit GET>
   Require ldap-group cn=WeatherMan, ou=groups, o=company
</Limit>
<Limit PUT>
   Require ldap-group cn=Actor, ou=groups, o=company
</Limit>

> I feel like I'm very close to getting this working, but I'm not quite
> grasping how to stack the LimitExcepts properly.
>
> Thanks for your help,
>
>
> James
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

Mime
View raw message