httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: [users@httpd] mod_authzn_ldap: combining queries to different LDAP layouts
Date Thu, 22 Mar 2018 09:41:13 GMT
On Thu, Mar 22, 2018 at 5:26 AM, sebb <sebbaz@gmail.com> wrote:
> Is it possible to use two mod_authzn_ldap checks that need different
> settings in the same Location container?
>
> For example:
>
> <Location ...>
> <RequireAny>
>   AuthType Basic
>   AuthBasicProvider ldap
>   AuthName ...
>   AuthLDAPurl ...
>   <RequireAll>
>     AuthLDAPGroupAttribute member
>     AuthLDAPGroupAttributeIsDN On
>     Require ldap-group cn=one,...
>   </RequireAll>
>   <RequireAll>
>     AuthLDAPGroupAttribute memberUid
>     AuthLDAPGroupAttributeIsDN Off
>     Require ldap-group cn=two,...
>   </RequireAll>
> </RequireAny>
> </Location>
>
> I have tried the above and it looks like only the last instance of
> AuthLDAPGroupAttribute and AuthLDAPGroupAttributeIsDN are used.
>
> The groups one and two are defined differently and need different
> settings if the validation is to work.
> The individual Require commands work if used in different <Location> sections.
>
> Is there a way to get round this?

I think you need to wrap them in AuthzProviderAlias'es so that they
technically will look more like separate "configuration sections" so
the module can actually access the two configs.

Note: If you do something similar for directies used during
Authentication you need the AuthnProviderAlias instead/in addition
I am a little skeptical that the LDAP example here really works for
this reason: https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html


>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>



-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message