I've just been asked to implement in Apache HTTPD a restricted access area that drives off membership in an LDAP group.I have production services running on Solaris 10 using Apache/2.2.6. Eventually these will be replaced with servers running on RHEL 6 using Apache/2.2.15, but that's not likely to be availble before mid-year, while this need to control access to some directories by LDAP group membership exists NOW.
I already have this kind of setup that allows me to simplify my access control:
<Location ~ "^/(.*)/intranet(.html|/(.*)?)$">
CosignProtected On
AuthType Cosign
AuthLDAPURL ldap://a.b.c.d/ou=People,dc=c,dc=d
AuthLDAPBindDN "uid=FullAccess,ou=bindings,dc=c,dc=d"
AuthLDAPBindPassword "password56789"
require ldap-filter uid=*
Order allow,deny
Allow from all
</Location>
Any request that ends with "/intranet.html" or contains "/intranet/" in the
path has our single signon solution Cosign forced upon it. This forces any
attempted access to any path containing "intranet" to provide credentials
authenticated by the institution as a whole.
Further, it then enforces that the authenticated User ID be found matching a uid entry in an LDAP server.
Now I know that I can restrict a given explicit path to a specific LDAP group,but as the feature becomes more widely recognized by my website authors, I can see departments left and right asking for the feature, and I don't want to be writing a new custom stanza for each department every week or so. I'd like to make it dynamic, so one stanza will cover the current need and all similar needs in the future just by creating the a new directory that matches the LOCATION pattern:
<Location ~ "^/(.*)/restricted(.html|/(.*)?)$">
CosignProtected On
AuthType Cosign
AuthLDAPURL ldap://a.b.c.d/ou=People,dc=c,dc=d
AuthLDAPBindDN "uid=FullAccess,ou=bindings,dc=c,dc=d"
AuthLDAPBindPassword "password56789"
## somehow get the value for the group from the URI supplied
require ldap-group cn=A.DYNAMICALLY.IDENTIFIED.LDAP.GROUP
Order allow,deny
Allow from all
</Location>
Where the LDAP group required is driven by something in the URI. What's
desired is a way to caputre the desired LDAP GROUP from the URI, so all the
website authors need to do is to create content with a path that contains
"/restricted/THIS.LDAP.GROUP/", and then USE that piece of the URI as the group
to require.
I'm presuming that there's some way, using a mod_rewrite rule, to extract the desired information from the URI and stash it, say, in an environment variable. The task then is to somehow use that extracted value to impose the appropriate restrictions in the require directive. Thus, website authors create a directory path ..../restricted/THIS.LDAP.GROUP/content.that.is.restricted.html and the required group would automatically be cn=THIS.LDAP.GROUP for that directory and below.
Is there any way to do this without having to rewrite or add on to mod_authnz_ldap ? Maybe some way to inject the desired group into the ldap-filter format of the require directive?
--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@xxxxxxx
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|