Return-Path: X-Original-To: apmail-httpd-users-archive@www.apache.org Delivered-To: apmail-httpd-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id CF21BEA55 for ; Sun, 3 Mar 2013 21:09:12 +0000 (UTC) Received: (qmail 70070 invoked by uid 500); 3 Mar 2013 21:09:09 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 70046 invoked by uid 500); 3 Mar 2013 21:09:09 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 70035 invoked by uid 99); 3 Mar 2013 21:09:09 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 03 Mar 2013 21:09:09 +0000 X-ASF-Spam-Status: No, hits=1.5 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of icicimov@gmail.com designates 74.125.83.44 as permitted sender) Received: from [74.125.83.44] (HELO mail-ee0-f44.google.com) (74.125.83.44) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 03 Mar 2013 21:09:04 +0000 Received: by mail-ee0-f44.google.com with SMTP id l10so3421188eei.17 for ; Sun, 03 Mar 2013 13:08:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type; bh=sTdj1syL14fh4NxvDUBjKiVQ66XJs/wudJPAIoPL4Hs=; b=KeTCWeoij3fgRiGal2gbFRb+DBPySokRkWep1V34v9IbW3AiLf8zybepmPizmAe5ki eeA7K6OY0WN+AbBDD6rUGz1MZhWGqIWPO355YvTF6KFCWfugZpf4xC0LHsiFlklTDk0u p6HR8Jtz6tXrjesWYuDfDVXBXUK6OvQqPMJ8kDKZngIXA0D/rEf8AdFkJ4sr7MTjOXNZ /R9lBNbPMPMSfjwjtsdmdoh/OCy+G1ApSRwHlPcrV0aDG8pOUBXf+giu5rytocxgza7U dJzEw9ZhHmnH5uewX2eFnm/7IewVUlU1A+/kLpTelt38YiBoA6KSdU3jIyhm++HmfkDT NVpw== MIME-Version: 1.0 X-Received: by 10.15.101.204 with SMTP id bp52mr51517603eeb.31.1362344922357; Sun, 03 Mar 2013 13:08:42 -0800 (PST) Received: by 10.223.87.194 with HTTP; Sun, 3 Mar 2013 13:08:42 -0800 (PST) Received: by 10.223.87.194 with HTTP; Sun, 3 Mar 2013 13:08:42 -0800 (PST) In-Reply-To: References: Date: Mon, 4 Mar 2013 08:08:42 +1100 Message-ID: From: Igor Cicimov To: users Content-Type: multipart/alternative; boundary=089e0168205228d30604d70ba516 X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] using multiple LimitExcept directives --089e0168205228d30604d70ba516 Content-Type: text/plain; charset=ISO-8859-1 On 04/03/2013 3:36 AM, "James Martin" wrote: > > On Sun, Mar 3, 2013 at 2:46 AM, Igor Cicimov wrote: > > > > On 03/03/2013 3:34 PM, "James Martin" wrote: > >> > >> Folks, > >> > >> I'm attempting to using multiple LimitExcept directives in one > >> Location. Basically I want to give a the "Actor" ldap group GET & > >> PUTT access, the "WeatherMan" ldap group only GET access, and the > >> "Actor" ldap group PUT access. I'm open to using either apache 2.2 or > >> 2.4, as I see that apache 2.4 supports nesting of the Limit and > >> LimitExcept directives. This is what I've tried so far: > >> > > > > Can you please first check the above bold out groups for us? Is that correct > > or one of them should be Artist instead? > > > > I realize there was a typo there, sorry about that. I said Actor > twice. The groups should be Artist, Actor, and WeatherMan Here's the > proper text: > > Basically I want to give a the "Artist" ldap group GET & PUT access, > the "WeatherMan" ldap group only GET access, and the "Actor" ldap > group PUT access. I'm open to using either apache 2.2 or 2.4, as I > see that apache 2.4 supports nesting of the Limit and LimitExcept > directives. This is what I've tried so far: > > > > Require ldap-group cn=Artist, ou=groups, o=company > > > Require ldap-group cn=WeatherMan, ou=groups, o=company > > > Require ldap-group cn=Actor, ou=groups, o=company > > > > >> > >> > >> AuthType Basic > >> AuthName "Secure Area" > >> AuthBasicProvider ldap > >> AuthLDAPURL > >> "ldap://localhost:10389/ou=users,o=company?uid" > >> AuthLDAPBindDN uid=binder,ou=users,o=bashoproserv > >> AuthLDAPBindPassword password > > > > > >> > >> Require ldap-group cn=Actor, ou=groups, o=company > >> > > > > From the docs: > > > > and are used to enclose a group of access > > control directives which will then apply to any HTTP access method not > > listed in the arguments > > > > It is my understanding that if you have GET PUT within LimitExcept > then you are limiting all operations *except* GET & PUT. > > > > In this context, isn't your above statement actually achieving the opposite > > from what you want? > > > >> > >> Require ldap-group cn=WeatherMan, ou=groups, o=company > >> > >> > >> Require ldap-group cn=Actor, ou=groups, o=company > >> > >> > >> > >> In this case Apache only processes the last LimitExcept, so only > >> operation that is successful is the PUT by a user in the Actor ldap > >> group. > >> > >> > >> I've also attempted to nest these statements (new feature in 2.4) and > >> apache complains: > >> > >> " directive specifies methods already excluded" > >> > >> Here is that example: > >> > >> > >> Require ldap-group cn=Artist, ou=groups, o=bashoproserv > >> > >> Require ldap-group cn=Actor, ou=groups, o=bashoproserv > >> > >> > >> > > > > So is it Actor or Artist or both??? Can't see Artist in the first example... > > > > The docs further say: > > > > The and directives may be nested. In this case, each > > successive level of or directives must further > > restrict the set of methods to which access controls apply. > > > > When using or directives with the Require directive, > > note that the first Require to succeed authorizes the request, regardless of > > the presence of other Require directives. > > > > So, assuming GET+PUT for Artist, GET for WeatherMan and PUT for Actor, and > > having the above said in mind, I would try something like this: > > > > > > > > Require ldap-group cn=Artist, ou=groups, o=company > > > > > > > > Require ldap-group cn=WeatherMan, ou=groups, o=company > > > > > > > > Require ldap-group cn=Actor, ou=groups, o=company > > > > > > I attempted your method and it *does* seem to work as I wanted > (thanks!); however, my concern is as per the docs: > > """ > The following example applies the access control only to the methods > POST, PUT, and DELETE, leaving all other methods unprotected: > > > Require valid-user > > """ > > To me that means that GET, CONNECT, OPTIONS, PATCH, PROPFIND, > PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK are not restricted at > all. Correct since those 3 are important ones so you need only some users to access them and you dont care about the other methods. Why else would you use limit then with Require? By default ALL methods are unprotected. So in your case you dont need to give Artist GET access to anything, he already has it! The point is to allow access to that user ONLY and thats where Limit and Require come into play. > > It also mentions > > """ > A section should always be used in preference to a > section when restricting access, since a section > provides protection against arbitrary methods. > """ > Correct BUT only if it matches your user case. Does it??? Nothing wrong with using Limit if you know exactly what you are doing. > Perhaps I need to combine the Limit with a LimitExcept so catch all of > the other methods not defined? > Sure go on and try it. Im only giving you some pointers hope you'll come up with the solution that suits you your self. > Thanks, > > - James > > > >> I feel like I'm very close to getting this working, but I'm not quite > >> grasping how to stack the LimitExcepts properly. > >> > >> Thanks for your help, > >> > >> > >> James > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > >> For additional commands, e-mail: users-help@httpd.apache.org > >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org > --089e0168205228d30604d70ba516 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable


On 04/03/2013 3:36 AM, "James Martin" <james.s.martin@gmail.com> wrote:
>
> On Sun, Mar 3, 2013 at 2:46 AM, Igor Cicimov <icicimov@gmail.com> wrote:
> >
> > On 03/03/2013 3:34 PM, "James Martin" <james.s.martin@gmail.com> wrote:
> >>
> >> Folks,
> >>
> >> I'm attempting to using multiple LimitExcept directives i= n one
> >> Location. =A0Basically I want to give a the "Actor"= ldap group =A0GET &
> >> PUTT access, the "WeatherMan" ldap group only GET a= ccess, and the
> >> "Actor" ldap group PUT access. =A0I'm open to u= sing either apache 2.2 or
> >> 2.4, as I see that apache 2.4 supports nesting of the Limit a= nd
> >> LimitExcept directives. =A0This is what I've tried so far= :
> >>
> >
> > Can you please first check the above bold out groups for us? Is t= hat correct
> > or one of them should be Artist instead?
> >
>
> I realize there was a typo there, sorry about that. =A0 I said Actor > twice. =A0The groups should be Artist, Actor, and WeatherMan =A0Here&#= 39;s the
> proper text:
>
> Basically I want to give a the "Artist" ldap group =A0GET &a= mp; PUT access,
> the "WeatherMan" ldap group only GET access, and the "A= ctor" ldap
> group PUT access. =A0I'm open to using either apache 2.2 or 2.4, a= s I
> see that apache 2.4 supports nesting of the Limit and LimitExcept
> directives. =A0This is what I've tried so far:
>
> <Location>
> <LimitExcept GET PUT>
> =A0 =A0 Require ldap-group cn=3DArtist, ou=3Dgroups, o=3Dcompany
> </LimitExcept>
> =A0<LimitExcept GET>
> =A0 =A0 =A0 =A0 Require ldap-group cn=3DWeatherMan, ou=3Dgroups, o=3Dc= ompany
> =A0</LimitExcept>
> =A0<LimitExcept PUT>
> =A0 =A0 =A0 =A0 Require ldap-group cn=3DActor, ou=3Dgroups, o=3Dcompan= y
> =A0</LimitExcept>
> </Location>
>
> >>
> >> <Location "/boballcharlieputs">
> >> =A0 AuthType Basic
> >> =A0 AuthName "Secure Area"
> >> =A0 AuthBasicProvider ldap
> >> =A0 =A0AuthLDAPURL
> >> "ldap://localhost:10389/ou=3Dusers,o=3Dcompany?uid"=
> >> =A0 AuthLDAPBindDN uid=3Dbinder,ou=3Dusers,o=3Dbashoproserv > >> =A0 AuthLDAPBindPassword password
> >
> >
> >> <LimitExcept GET PUT>
> >> =A0 =A0 Require ldap-group cn=3DActor, ou=3Dgroups, o=3Dcompa= ny
> >> </LimitExcept>
> >
> > From the docs:
> >
> > <LimitExcept> and </LimitExcept> are used to enclose = a group of access
> > control directives which will then apply to any HTTP access metho= d not
> > listed in the arguments
> >
>
> It is my understanding that if you have GET PUT within LimitExcept
> then you are limiting all operations *except* GET & PUT.
>
>
> > In this context, isn't your above statement actually achievin= g the opposite
> > from what you want?
> >
> >> =A0<LimitExcept GET>
> >> =A0 =A0 =A0 =A0 Require ldap-group cn=3DWeatherMan, ou=3Dgrou= ps, o=3Dcompany
> >> =A0</LimitExcept>
> >> =A0<LimitExcept PUT>
> >> =A0 =A0 =A0 =A0 Require ldap-group cn=3DActor, ou=3Dgroups, o= =3Dcompany
> >> =A0</LimitExcept>
> >> </Location>
> >>
> >> In this case Apache only processes the last LimitExcept, so o= nly
> >> operation that is successful is the PUT by a user in the Acto= r ldap
> >> group.
> >>
> >>
> >> I've also attempted to nest these statements (new feature= in 2.4) and
> >> apache complains:
> >>
> >> "<LimitExcept> directive specifies methods already= excluded"
> >>
> >> Here is that example:
> >>
> >> <LimitExcept GET PUT>
> >> =A0 =A0 Require ldap-group cn=3DArtist, ou=3Dgroups, o=3Dbash= oproserv
> >> =A0 =A0 <LimitExcept PUT>
> >> =A0 =A0 =A0 =A0 Require ldap-group cn=3DActor, ou=3Dgroups, o= =3Dbashoproserv
> >> =A0 =A0 </LimitExcept>
> >> </LimitExcept>
> >>
> >
> > So is it Actor or Artist or both??? Can't see Artist in the f= irst example...
> >
> > The docs further say:
> >
> > The <Limit> and <LimitExcept> directives may be neste= d. In this case, each
> > successive level of <Limit> or <LimitExcept> directiv= es must further
> > restrict the set of methods to which access controls apply.
> >
> > When using <Limit> or <LimitExcept> directives with t= he Require directive,
> > note that the first Require to succeed authorizes the request, re= gardless of
> > the presence of other Require directives.
> >
> > So, assuming GET+PUT for Artist, GET for WeatherMan and PUT for A= ctor, and
> > having the above said in mind, I would try something like this: > >
> >
> > <Limit GET PUT>
> > =A0 =A0Require ldap-group cn=3DArtist, ou=3Dgroups, o=3Dcompany > > </Limit>
> > <Limit GET>
> >
> > =A0 =A0Require ldap-group cn=3DWeatherMan, ou=3Dgroups, o=3Dcompa= ny
> > </Limit>
> > <Limit PUT>
> >
> > =A0 =A0Require ldap-group cn=3DActor, ou=3Dgroups, o=3Dcompany > > </Limit>
> >
>
> I attempted your method and it *does* seem to work as I wanted
> (thanks!); however, my concern is as per the docs:
>
> """
> The following example applies the access control only to the methods > POST, PUT, and DELETE, leaving all other methods unprotected:
>
> <Limit POST PUT DELETE>
> =A0 Require valid-user
> </Limit>
> """
>
> To me that means that =A0GET, CONNECT, OPTIONS, PATCH, PROPFIND,
> PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK are not restricted at > all.
Correct since those 3 are important ones so you need only some users to acc= ess them and you dont care about the other methods. Why else would you use = limit then with Require? By default ALL methods are unprotected. So in your= case you dont need to give Artist GET access to anything, he already has i= t! The point is to allow access to that user ONLY and thats where Limit and= Require come into play.

>
> It also mentions
>
> """
> A <LimitExcept> section should always be used in preference to a=
> <Limit> section when restricting access, since a <LimitExcept= > section
> provides protection against arbitrary methods.
> """
>
Correct BUT only if it matches your user case. Does it???
Nothing wrong with using Limit if you know exactly what you are doing.

> Perhaps I need to combine the Limit with a LimitExcept = so catch all of
> the other methods not defined?
>
Sure go on and try it. Im only giving you some pointers hope you'll com= e up with the solution that suits you your self.

> Thanks,
>
> - James
>
>
> >> I feel like I'm very close to getting this working, but I= 'm not quite
> >> grasping how to stack the LimitExcepts properly.
> >>
> >> Thanks for your help,
> >>
> >>
> >> James
> >>
> >> -------------------------------------------------------------= --------
> >> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> >> For additional commands, e-mail: users-help@httpd.apache.org
> >>
>
> ---------------------------------------------------------------------<= br> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

--089e0168205228d30604d70ba516--