On 03/03/2013 3:34 PM, "James Martin" <james.s.mar...@gmail.com> wrote: > > Folks, > > I'm attempting to using multiple LimitExcept directives in one > Location. Basically I want to give a the "*Actor*" ldap group GET & > PUTT access, the "WeatherMan" ldap group only GET access, and the > "*Actor*" ldap group PUT access. I'm open to using either apache 2.2 or > 2.4, as I see that apache 2.4 supports nesting of the Limit and > LimitExcept directives. This is what I've tried so far: >
Can you please first check the above bold out groups for us? Is that correct or one of them should be Artist instead? > > <Location "/boballcharlieputs"> > AuthType Basic > AuthName "Secure Area" > AuthBasicProvider ldap > AuthLDAPURL "ldap://localhost:10389/ou=users,o=company?uid" > AuthLDAPBindDN uid=binder,ou=users,o=bashoproserv > AuthLDAPBindPassword password > <LimitExcept GET PUT> > Require ldap-group cn=Actor, ou=groups, o=company > </LimitExcept> >From the docs: <LimitExcept> and </LimitExcept> are used to enclose a group of access control directives which will then apply to any HTTP access method *not*listed in the arguments In this context, isn't your above statement actually achieving the opposite from what you want? > <LimitExcept GET> > Require ldap-group cn=WeatherMan, ou=groups, o=company > </LimitExcept> > <LimitExcept PUT> > Require ldap-group cn=Actor, ou=groups, o=company > </LimitExcept> > </Location> > > In this case Apache only processes the last LimitExcept, so only > operation that is successful is the PUT by a user in the Actor ldap > group. > > > I've also attempted to nest these statements (new feature in 2.4) and > apache complains: > > "<LimitExcept> directive specifies methods already excluded" > > Here is that example: > > <LimitExcept GET PUT> > Require ldap-group cn=*Artist*, ou=groups, o=bashoproserv > <LimitExcept PUT> > Require ldap-group cn=*Actor*, ou=groups, o=bashoproserv > </LimitExcept> > </LimitExcept> > So is it Actor or Artist or both??? Can't see Artist in the first example... The docs further say: The <Limit> and <LimitExcept><http://httpd.apache.org/docs/current/mod/core.html#limitexcept>directives may be nested. In this case, *each successive level of <Limit> or <LimitExcept><http://httpd.apache.org/docs/current/mod/core.html#limitexcept>directives must further restrict the set of methods to which access controls apply.* When using <Limit> or <LimitExcept> directives with the Require<http://httpd.apache.org/docs/current/mod/mod_authz_core.html#require>directive, note that the *first Require<http://httpd.apache.org/docs/current/mod/mod_authz_core.html#require>to succeed authorizes the request, regardless of the presence of other Require<http://httpd.apache.org/docs/current/mod/mod_authz_core.html#require>directives. * So, assuming GET+PUT for Artist, GET for WeatherMan and PUT for Actor, and having the above said in mind, I would try something like this: <Limit GET PUT> Require ldap-group cn=Artist, ou=groups, o=company </Limit> <Limit GET> Require ldap-group cn=WeatherMan, ou=groups, o=company </Limit> <Limit PUT> Require ldap-group cn=Actor, ou=groups, o=company </Limit> > I feel like I'm very close to getting this working, but I'm not quite > grasping how to stack the LimitExcepts properly. > > Thanks for your help, > > > James > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org >