On Sun, Mar 3, 2013 at 2:46 AM, Igor Cicimov <icici...@gmail.com> wrote:
>
> On 03/03/2013 3:34 PM, "James Martin" <james.s.mar...@gmail.com> wrote:
>>
>> Folks,
>>
>> I'm attempting to using multiple LimitExcept directives in one
>> Location. Basically I want to give a the "Actor" ldap group GET &
>> PUTT access, the "WeatherMan" ldap group only GET access, and the
>> "Actor" ldap group PUT access. I'm open to using either apache 2.2 or
>> 2.4, as I see that apache 2.4 supports nesting of the Limit and
>> LimitExcept directives. This is what I've tried so far:
>>
>
> Can you please first check the above bold out groups for us? Is that correct
> or one of them should be Artist instead?
>
I realize there was a typo there, sorry about that. I said Actor
twice. The groups should be Artist, Actor, and WeatherMan Here's the
proper text:
Basically I want to give a the "Artist" ldap group GET & PUT access,
the "WeatherMan" ldap group only GET access, and the "Actor" ldap
group PUT access. I'm open to using either apache 2.2 or 2.4, as I
see that apache 2.4 supports nesting of the Limit and LimitExcept
directives. This is what I've tried so far:
<Location>
<LimitExcept GET PUT>
Require ldap-group cn=Artist, ou=groups, o=company
</LimitExcept>
<LimitExcept GET>
Require ldap-group cn=WeatherMan, ou=groups, o=company
</LimitExcept>
<LimitExcept PUT>
Require ldap-group cn=Actor, ou=groups, o=company
</LimitExcept>
</Location>
>>
>> <Location "/boballcharlieputs">
>> AuthType Basic
>> AuthName "Secure Area"
>> AuthBasicProvider ldap
>> AuthLDAPURL
>> "ldap://localhost:10389/ou=users,o=company?uid";
>> AuthLDAPBindDN uid=binder,ou=users,o=bashoproserv
>> AuthLDAPBindPassword password
>
>
>> <LimitExcept GET PUT>
>> Require ldap-group cn=Actor, ou=groups, o=company
>> </LimitExcept>
>
> From the docs:
>
> <LimitExcept> and </LimitExcept> are used to enclose a group of access
> control directives which will then apply to any HTTP access method not
> listed in the arguments
>
It is my understanding that if you have GET PUT within LimitExcept
then you are limiting all operations *except* GET & PUT.
> In this context, isn't your above statement actually achieving the opposite
> from what you want?
>
>> <LimitExcept GET>
>> Require ldap-group cn=WeatherMan, ou=groups, o=company
>> </LimitExcept>
>> <LimitExcept PUT>
>> Require ldap-group cn=Actor, ou=groups, o=company
>> </LimitExcept>
>> </Location>
>>
>> In this case Apache only processes the last LimitExcept, so only
>> operation that is successful is the PUT by a user in the Actor ldap
>> group.
>>
>>
>> I've also attempted to nest these statements (new feature in 2.4) and
>> apache complains:
>>
>> "<LimitExcept> directive specifies methods already excluded"
>>
>> Here is that example:
>>
>> <LimitExcept GET PUT>
>> Require ldap-group cn=Artist, ou=groups, o=bashoproserv
>> <LimitExcept PUT>
>> Require ldap-group cn=Actor, ou=groups, o=bashoproserv
>> </LimitExcept>
>> </LimitExcept>
>>
>
> So is it Actor or Artist or both??? Can't see Artist in the first example...
>
> The docs further say:
>
> The <Limit> and <LimitExcept> directives may be nested. In this case, each
> successive level of <Limit> or <LimitExcept> directives must further
> restrict the set of methods to which access controls apply.
>
> When using <Limit> or <LimitExcept> directives with the Require directive,
> note that the first Require to succeed authorizes the request, regardless of
> the presence of other Require directives.
>
> So, assuming GET+PUT for Artist, GET for WeatherMan and PUT for Actor, and
> having the above said in mind, I would try something like this:
>
>
> <Limit GET PUT>
> Require ldap-group cn=Artist, ou=groups, o=company
> </Limit>
> <Limit GET>
>
> Require ldap-group cn=WeatherMan, ou=groups, o=company
> </Limit>
> <Limit PUT>
>
> Require ldap-group cn=Actor, ou=groups, o=company
> </Limit>
>
I attempted your method and it *does* seem to work as I wanted
(thanks!); however, my concern is as per the docs:
"""
The following example applies the access control only to the methods
POST, PUT, and DELETE, leaving all other methods unprotected:
<Limit POST PUT DELETE>
Require valid-user
</Limit>
"""
To me that means that GET, CONNECT, OPTIONS, PATCH, PROPFIND,
PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK are not restricted at
all.
It also mentions
"""
A <LimitExcept> section should always be used in preference to a
<Limit> section when restricting access, since a <LimitExcept> section
provides protection against arbitrary methods.
"""
Perhaps I need to combine the Limit with a LimitExcept so catch all of
the other methods not defined?
Thanks,
- James
>> I feel like I'm very close to getting this working, but I'm not quite
>> grasping how to stack the LimitExcepts properly.
>>
>> Thanks for your help,
>>
>>
>> James
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
