Re: Dynamic selection of mod_authnz_ldap's 'require ldap-group' object?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Eric Covener wrote:

LDAP attributes can be loaded into AUTHENTICATE_* vars and can be
queried, but you might not be able to express the rules you need using
attributes only.


	Not sure exactly what you're saying here...  "AUTHENTICATE_* vars"
	are those environment variables or something?  I've never seen them
	in the environment presented to a CGI script or a PHP script.  Are
	they environment variables that can be used in other Apache directives?
	As I currently use things like %{REQUEST_URI} in a rewrite rule or
	rewrite condition?   If that's the case, what gets substituted for
	the "*"?  Is it AUTHENTICATE_attribute like AUTHENTICATE_UID or
	AUTHENTICATE_MAIL, substituting LDAP attributes for the wildcard,
	or is there some specific vocabulary of substitutions for the
	wildcard?  Is there a listing or documentation someplace that
	specifically addresses this that I've missed?



Some directory servers allow group membership to be read as a "magic"
attribute in LDAP.  Notably, tivoli directory server allows an
ibm-allGroups element to be used (result only, not filtered on) which
you could them find a way to check more dynamically (setenvif, allow
from env=...).


	I think we may be using those features on our university-wide
	LDAP server here, but not in that manner.  I have used at least one
	ibm-* attribute in other capacities, but with custom developed
	code in a CGI script, not at the Apache authentication/authorization
	level.

--
J.Lance Wilkinson ("Lance")		InterNet: Lance.Wilkinson@xxxxxxx
Systems Design Specialist - Lead	Phone: (814) 865-4870
Digital Library Technologies		FAX:   (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux