Re: [users@httpd] Dynamic selection of mod_authnz_ldap's 'require ldap-group' object?

Fri, 24 Feb 2012 06:23:08 -0800 

Eric Covener wrote:

LDAP attributes can be loaded into AUTHENTICATE_* vars and can be
queried, but you might not be able to express the rules you need using
attributes only.


        Not sure exactly what you're saying here...  "AUTHENTICATE_* vars"
        are those environment variables or something?  I've never seen them
        in the environment presented to a CGI script or a PHP script.  Are
        they environment variables that can be used in other Apache directives?
        As I currently use things like %{REQUEST_URI} in a rewrite rule or
        rewrite condition?   If that's the case, what gets substituted for
        the "*"?  Is it AUTHENTICATE_attribute like AUTHENTICATE_UID or
        AUTHENTICATE_MAIL, substituting LDAP attributes for the wildcard,
        or is there some specific vocabulary of substitutions for the
        wildcard?  Is there a listing or documentation someplace that
        specifically addresses this that I've missed?



Some directory servers allow group membership to be read as a "magic"
attribute in LDAP.  Notably, tivoli directory server allows an
ibm-allGroups element to be used (result only, not filtered on) which
you could them find a way to check more dynamically (setenvif, allow
from env=...).


        I think we may be using those features on our university-wide
        LDAP server here, but not in that manner.  I have used at least one
        ibm-* attribute in other capacities, but with custom developed
        code in a CGI script, not at the Apache authentication/authorization
        level.

--
J.Lance Wilkinson ("Lance")           InterNet: lance.wilkin...@psu.edu
Systems Design Specialist - Lead        Phone: (814) 865-4870
Digital Library Technologies            FAX:   (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
  "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org























					Reply via email to