httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: [users@httpd] mod_authzn_ldap: combining queries to different LDAP layouts
Date Thu, 22 Mar 2018 09:53:34 GMT
On 22 March 2018 at 09:41, Eric Covener <covener@gmail.com> wrote:
> On Thu, Mar 22, 2018 at 5:26 AM, sebb <sebbaz@gmail.com> wrote:
>> Is it possible to use two mod_authzn_ldap checks that need different
>> settings in the same Location container?
>>
>> For example:
>>
>> <Location ...>
>> <RequireAny>
>>   AuthType Basic
>>   AuthBasicProvider ldap
>>   AuthName ...
>>   AuthLDAPurl ...
>>   <RequireAll>
>>     AuthLDAPGroupAttribute member
>>     AuthLDAPGroupAttributeIsDN On
>>     Require ldap-group cn=one,...
>>   </RequireAll>
>>   <RequireAll>
>>     AuthLDAPGroupAttribute memberUid
>>     AuthLDAPGroupAttributeIsDN Off
>>     Require ldap-group cn=two,...
>>   </RequireAll>
>> </RequireAny>
>> </Location>
>>
>> I have tried the above and it looks like only the last instance of
>> AuthLDAPGroupAttribute and AuthLDAPGroupAttributeIsDN are used.
>>
>> The groups one and two are defined differently and need different
>> settings if the validation is to work.
>> The individual Require commands work if used in different <Location> sections.
>>
>> Is there a way to get round this?
>
> I think you need to wrap them in AuthzProviderAlias'es so that they
> technically will look more like separate "configuration sections" so
> the module can actually access the two configs.

Thanks very much.
That works in local testing.

> Note: If you do something similar for directies used during
> Authentication you need the AuthnProviderAlias instead/in addition
> I am a little skeptical that the LDAP example here really works for
> this reason: https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html
>
>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
>
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message