Re: [users@httpd] Dynamic selection of mod_authnz_ldap's 'require ldap-group' object?

Wed, 21 Mar 2012 05:49:42 -0700 

I don't believe I ever got a reply to this, so since it's been a month I'll
repeat it...

        the story so far:  I have a need to be able to parse into an
        environment variable (using Rewrite rules or some such) a value
        that then can be used in a *require* directive like

                require ldap-group      
        or      require ldap-filter

        Using Apache v2.2.6 on Solaris 10, Apache 2.2.15 on Linux RHEL 6,
        pretty much the same Apache configurations on both.

        Is this something possible NOW using stock modules, or is this
        something that I will have with Apache 2.4 and its stock modules,
        or is this something I would need to implement new or modified
        code to achieve?

Eric Covener wrote:

LDAP attributes can be loaded into AUTHENTICATE_* vars and can be
queried, but you might not be able to express the rules you need using
attributes only.


        Not sure exactly what you're saying here...  "AUTHENTICATE_* vars"
        are those environment variables or something?  I've never seen them
        in the environment presented to a CGI script or a PHP script.  Are
        they environment variables that can be used in other Apache directives?
        As I currently use things like %{REQUEST_URI} in a rewrite rule or
        rewrite condition?   If that's the case, what gets substituted for
        the "*"?  Is it AUTHENTICATE_attribute like AUTHENTICATE_UID or
        AUTHENTICATE_MAIL, substituting LDAP attributes for the wildcard,
        or is there some specific vocabulary of substitutions for the
        wildcard?  Is there a listing or documentation someplace that
        specifically addresses this that I've missed?



Some directory servers allow group membership to be read as a "magic"
attribute in LDAP.  Notably, tivoli directory server allows an
ibm-allGroups element to be used (result only, not filtered on) which
you could them find a way to check more dynamically (setenvif, allow
from env=...).


        I think we may be using those features on our university-wide
        LDAP server here, but not in that manner.  I have used at least one
        ibm-* attribute in other capacities, but with custom developed
        code in a CGI script, not at the Apache authentication/authorization
        level.

--
J.Lance Wilkinson ("Lance")           InterNet: lance.wilkin...@psu.edu
Systems Design Specialist - Lead        Phone: (814) 865-4870
Digital Library Technologies            FAX:   (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to