On 03/03/2013 3:34 PM, "James Martin" <james.s.martin@xxxxxxxxx> wrote:
>
> Folks,
>
> I'm attempting to using multiple LimitExcept directives in one
> Location. Basically I want to give a the "Actor" ldap group GET &
> PUTT access, the "WeatherMan" ldap group only GET access, and the
> "Actor" ldap group PUT access. I'm open to using either apache 2.2 or
> 2.4, as I see that apache 2.4 supports nesting of the Limit and
> LimitExcept directives. This is what I've tried so far:
>
Can you please first check the above bold out groups for us? Is that correct or one of them should be Artist instead?
>
> <Location "/boballcharlieputs">
> AuthType Basic
> AuthName "Secure Area"
> AuthBasicProvider ldap
> AuthLDAPURL "ldap://localhost:10389/ou=users,o=company?uid"
> AuthLDAPBindDN uid=binder,ou=users,o=bashoproserv
> AuthLDAPBindPassword password
> <LimitExcept GET PUT>
> Require ldap-group cn=Actor, ou=groups, o=company
> </LimitExcept>
From the docs:
<LimitExcept> and
</LimitExcept> are used to enclose
a group of access control directives which will then apply to any
HTTP access method not listed in the arguments
> <LimitExcept GET>
> Require ldap-group cn=WeatherMan, ou=groups, o=company
> </LimitExcept>
> <LimitExcept PUT>
> Require ldap-group cn=Actor, ou=groups, o=company
> </LimitExcept>
> </Location>
>
> In this case Apache only processes the last LimitExcept, so only
> operation that is successful is the PUT by a user in the Actor ldap
> group.
>
>
> I've also attempted to nest these statements (new feature in 2.4) and
> apache complains:
>
> "<LimitExcept> directive specifies methods already excluded"
>
> Here is that example:
>
> <LimitExcept GET PUT>
> Require ldap-group cn=Artist, ou=groups, o=bashoproserv
> <LimitExcept PUT>
> Require ldap-group cn=Actor, ou=groups, o=bashoproserv
> </LimitExcept>
> </LimitExcept>
>
So is it Actor or Artist or both??? Can't see Artist in the first example...
The docs further say:
The <Limit> and
<LimitExcept>
directives may be nested. In this case, each successive level of
<Limit> or <LimitExcept> directives must
further restrict the set of methods to which access controls apply.
<Limit> or
<LimitExcept> directives with
the Require directive,
note that the first Require
to succeed authorizes the request, regardless of the presence of other
Require directives.So, assuming GET+PUT for Artist, GET for WeatherMan and PUT for Actor, and having the above said in mind, I would try something like this:
> I feel like I'm very close to getting this working, but I'm not quite
> grasping how to stack the LimitExcepts properly.
>
> Thanks for your help,
>
>
> James
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>
|