On Fri, Oct 31, 2008 at 5:16 AM, Oliver Marshall <[EMAIL PROTECTED]> wrote: > Hi chaps, > > I have the following code setup in an apache config file to restrict > access to trac sites on the server via LDAP group membership. > > *************************** > <Location /url/to/page> > SetHandler mod_python > PythonInterpreter main_interpreter > PythonHandler trac.web.modpython_frontend > PythonOption TracEnv /trac/environ/site > PythonOption TracUriRoot /url/to/page > > AuthName "Authentication" > > AuthType Basic > AuthBasicProvider ldap > > AuthzLDAPAuthoritative on > > AuthLDAPBindDN "CN=LDAP USER,CN=Users,DC=mydomain,DC=local" > AuthLDAPBindPassword passwordgoeshere > AuthLDAPURL > "ldap://ldapserver.mydomain.local:389/DC=mydomain,DC=local?sAMAccountNam > e?sub?(objectCla ss=*)" NONE > AuthLDAPGroupAttributeIsDN on > require ldap-group CN=testgroup,OU=Security Groups,OU=My > OU,DC=mydomain,DC=local > > Require valid-user > </Location> > **************************** > > This works fine, with one slight exception. When we change the > membership of the ldap group (in active directory on a windows box), we > have to restart Apache on the linux box. A reload doesnt work, it has to > be a restart. If we dont, then the changes to the group aren't > recognised. It's as though the membership of the group is cached on the > linux box and that cache is never updated. >
Should last 10 minutes in the cache by default: http://httpd.apache.org/docs/2.2/mod/mod_ldap.html#ldapcachettl http://httpd.apache.org/docs/2.2/mod/mod_ldap.html#ldapopcachettl -- Eric Covener [EMAIL PROTECTED] --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
