I've just been asked to implement in Apache HTTPD a restricted access area
that drives off membership in an LDAP group.
I have production services running on Solaris 10 using Apache/2.2.6.
Eventually these will be replaced with servers running on RHEL 6 using
Apache/2.2.15, but that's not likely to be availble before mid-year, while this
need to control access to some directories by LDAP group membership exists NOW.
I already have this kind of setup that allows me to simplify my access control:
<Location ~ "^/(.*)/intranet(.html|/(.*)?)$">
CosignProtected On
AuthType Cosign
AuthLDAPURL ldap://a.b.c.d/ou=People,dc=c,dc=d
AuthLDAPBindDN "uid=FullAccess,ou=bindings,dc=c,dc=d"
AuthLDAPBindPassword "password56789"
require ldap-filter uid=*
Order allow,deny
Allow from all
</Location>
Any request that ends with "/intranet.html" or contains "/intranet/" in the
path has our single signon solution Cosign forced upon it. This forces any
attempted access to any path containing "intranet" to provide credentials
authenticated by the institution as a whole.
Further, it then enforces that the authenticated User ID be found matching a
uid entry in an LDAP server.
Now I know that I can restrict a given explicit path to a specific LDAP group,
but as the feature becomes more widely recognized by my website authors, I can
see departments left and right asking for the feature, and I don't want to be
writing a new custom stanza for each department every week or so. I'd like to
make it dynamic, so one stanza will cover the current need and all similar
needs in the future just by creating the a new directory that matches the
LOCATION pattern:
<Location ~ "^/(.*)/restricted(.html|/(.*)?)$">
CosignProtected On
AuthType Cosign
AuthLDAPURL ldap://a.b.c.d/ou=People,dc=c,dc=d
AuthLDAPBindDN "uid=FullAccess,ou=bindings,dc=c,dc=d"
AuthLDAPBindPassword "password56789"
## somehow get the value for the group from the URI supplied
require ldap-group cn=A.DYNAMICALLY.IDENTIFIED.LDAP.GROUP
Order allow,deny
Allow from all
</Location>
Where the LDAP group required is driven by something in the URI. What's
desired is a way to caputre the desired LDAP GROUP from the URI, so all the
website authors need to do is to create content with a path that contains
"/restricted/THIS.LDAP.GROUP/", and then USE that piece of the URI as the group
to require.
I'm presuming that there's some way, using a mod_rewrite rule, to extract the
desired information from the URI and stash it, say, in an environment variable.
The task then is to somehow use that extracted value to impose the
appropriate restrictions in the require directive. Thus, website authors
create a directory path
..../restricted/THIS.LDAP.GROUP/content.that.is.restricted.html and the
required group would automatically be cn=THIS.LDAP.GROUP for that directory and
below.
Is there any way to do this without having to rewrite or add on to
mod_authnz_ldap ? Maybe some way to inject the desired group into the
ldap-filter format of the require directive?
--
J.Lance Wilkinson ("Lance") InterNet: lance.wilkin...@psu.edu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org