On 03/03/2013 3:34 PM, "James Martin" <james.s.martin@gmail.com> wro= te:
>
> Folks,
>
> I'm attempting to using multiple LimitExcept directives in one
> Location. =A0Basically I want to give a the "Actor" l= dap group =A0GET &
> PUTT access, the "WeatherMan" ldap group only GET access, an= d the
> "Actor" ldap group PUT access. =A0I'm open to usi= ng either apache 2.2 or
> 2.4, as I see that apache 2.4 supports nesting of the Limit and
> LimitExcept directives. =A0This is what I've tried so far:
>

Can you please first check the above bold out groups for us? Is = that correct or one of them should be Artist instead?

>
> <Location "/boballcharlieputs">
> =A0 AuthType Basic
> =A0 AuthName "Secure Area"
> =A0 AuthBasicProvider ldap
> =A0 =A0AuthLDAPURL =A0 =A0 =A0 =A0 =A0 =A0 =A0"ldap://localhost:1= 0389/ou=3Dusers,o=3Dcompany?uid"
> =A0 AuthLDAPBindDN uid=3Dbinder,ou=3Dusers,o=3Dbashoproserv
> =A0 AuthLDAPBindPassword password

> <LimitExcept GET PUT>
> =A0 =A0 Require ldap-group cn=3DActor, ou=3Dgroups, o=3Dcompany
> </LimitExcept>

From the docs:

= <LimitExcept> and </LimitExcept> are used to enclose a group of access control directives which will then apply to any HTTP access method not listed in the arguments<= /p>In this context, isn't your above statement actually achieving the o= pposite from what you want?

> =A0<LimitExcept GET>
> =A0 =A0 =A0 =A0 Require ldap-group cn=3DWeatherMan, ou=3Dgroups, o=3Dc= ompany
> =A0</LimitExcept>
> =A0<LimitExcept PUT>
> =A0 =A0 =A0 =A0 Require ldap-group cn=3DActor, ou=3Dgroups, o=3Dcompan= y
> =A0</LimitExcept>
> </Location>
>
> In this case Apache only processes the last LimitExcept, so only
> operation that is successful is the PUT by a user in the Actor ldap > group.
>
>
> I've also attempted to nest these statements (new feature in 2.4) = and
> apache complains:
>
> "<LimitExcept> directive specifies methods already excluded= "
>
> Here is that example:
>
> <LimitExcept GET PUT>
> =A0 =A0 Require ldap-group cn=3DArtist, ou=3Dgroups, o=3Dbashop= roserv
> =A0 =A0 <LimitExcept PUT>
> =A0 =A0 =A0 =A0 Require ldap-group cn=3DActor, ou=3Dgroups, o= =3Dbashoproserv
> =A0 =A0 </LimitExcept>
> </LimitExcept>
>

So is it Actor or Artist or both??? Can't see Ar= tist in the first example...

The docs further say:

The <Limit> and <LimitExcept> directives may be nested. In this case, each successive level of <Limit> or <LimitExce= pt> directives must further restrict the set of methods to which access controls apply.=

When using <Limit> or <LimitExcept> directives with the Require directive, note that the first Require to succeed authorizes the request, regardless of the presence of other Require directives.

So, assuming GET+PUT for Artist, GET for WeatherMan and PUT for Actor, a= nd having the above said in mind, I would try something like this:

<Limit GET PUT>
=A0=A0 Require ldap-group cn=3DArtist, ou=3Dgr= oups, o=3Dcompany
</Limit>
<Limit GET>
=A0=A0 Require = ldap-group cn=3DWeatherMan, ou=3Dgroups, o=3Dcompany
</Limit>
&= lt;Limit PUT>
=A0=A0 Require ldap-group cn=3DActor, ou=3Dgroups, o=3Dcompany
</Limi= t>

> I feel like I'm very close to getting this working, but I'm no= t quite
> grasping how to stack the LimitExcepts properly.
>
> Thanks for your help,
>
>
> James
>
> ---------------------------------------------------------------------<= br> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>