On Sun, Mar 3, 2013 at 4:08 PM, Igor Cicimov <icicimov@xxxxxxxxx> wrote:
>
> On 04/03/2013 3:36 AM, "James Martin" <james.s.martin@xxxxxxxxx> wrote:
>>
>> On Sun, Mar 3, 2013 at 2:46 AM, Igor Cicimov <icicimov@xxxxxxxxx> wrote:
>> >
>> > On 03/03/2013 3:34 PM, "James Martin" <james.s.martin@xxxxxxxxx> wrote:
>> >>
>> >> Folks,
>> >>
>> >> I'm attempting to using multiple LimitExcept directives in one
>> >> Location. Basically I want to give a the "Actor" ldap group GET &
>> >> PUTT access, the "WeatherMan" ldap group only GET access, and the
>> >> "Actor" ldap group PUT access. I'm open to using either apache 2.2 or
>> >> 2.4, as I see that apache 2.4 supports nesting of the Limit and
>> >> LimitExcept directives. This is what I've tried so far:
>> >>
>> >
>> > Can you please first check the above bold out groups for us? Is that
>> > correct
>> > or one of them should be Artist instead?
>> >
>>
>> I realize there was a typo there, sorry about that. I said Actor
>> twice. The groups should be Artist, Actor, and WeatherMan Here's the
>> proper text:
>>
>> Basically I want to give a the "Artist" ldap group GET & PUT access,
>> the "WeatherMan" ldap group only GET access, and the "Actor" ldap
>> group PUT access. I'm open to using either apache 2.2 or 2.4, as I
>> see that apache 2.4 supports nesting of the Limit and LimitExcept
>> directives. This is what I've tried so far:
>>
>> <Location>
>> <LimitExcept GET PUT>
>> Require ldap-group cn=Artist, ou=groups, o=company
>> </LimitExcept>
>> <LimitExcept GET>
>> Require ldap-group cn=WeatherMan, ou=groups, o=company
>> </LimitExcept>
>> <LimitExcept PUT>
>> Require ldap-group cn=Actor, ou=groups, o=company
>> </LimitExcept>
>> </Location>
>>
>> >>
>> >> <Location "/boballcharlieputs">
>> >> AuthType Basic
>> >> AuthName "Secure Area"
>> >> AuthBasicProvider ldap
>> >> AuthLDAPURL
>> >> "ldap://localhost:10389/ou=users,o=company?uid";
>> >> AuthLDAPBindDN uid=binder,ou=users,o=bashoproserv
>> >> AuthLDAPBindPassword password
>> >
>> >
>> >> <LimitExcept GET PUT>
>> >> Require ldap-group cn=Actor, ou=groups, o=company
>> >> </LimitExcept>
>> >
>> > From the docs:
>> >
>> > <LimitExcept> and </LimitExcept> are used to enclose a group of access
>> > control directives which will then apply to any HTTP access method not
>> > listed in the arguments
>> >
>>
>> It is my understanding that if you have GET PUT within LimitExcept
>> then you are limiting all operations *except* GET & PUT.
>>
>>
>> > In this context, isn't your above statement actually achieving the
>> > opposite
>> > from what you want?
>> >
>> >> <LimitExcept GET>
>> >> Require ldap-group cn=WeatherMan, ou=groups, o=company
>> >> </LimitExcept>
>> >> <LimitExcept PUT>
>> >> Require ldap-group cn=Actor, ou=groups, o=company
>> >> </LimitExcept>
>> >> </Location>
>> >>
>> >> In this case Apache only processes the last LimitExcept, so only
>> >> operation that is successful is the PUT by a user in the Actor ldap
>> >> group.
>> >>
>> >>
>> >> I've also attempted to nest these statements (new feature in 2.4) and
>> >> apache complains:
>> >>
>> >> "<LimitExcept> directive specifies methods already excluded"
>> >>
>> >> Here is that example:
>> >>
>> >> <LimitExcept GET PUT>
>> >> Require ldap-group cn=Artist, ou=groups, o=bashoproserv
>> >> <LimitExcept PUT>
>> >> Require ldap-group cn=Actor, ou=groups, o=bashoproserv
>> >> </LimitExcept>
>> >> </LimitExcept>
>> >>
>> >
>> > So is it Actor or Artist or both??? Can't see Artist in the first
>> > example...
>> >
>> > The docs further say:
>> >
>> > The <Limit> and <LimitExcept> directives may be nested. In this case,
>> > each
>> > successive level of <Limit> or <LimitExcept> directives must further
>> > restrict the set of methods to which access controls apply.
>> >
>> > When using <Limit> or <LimitExcept> directives with the Require
>> > directive,
>> > note that the first Require to succeed authorizes the request,
>> > regardless of
>> > the presence of other Require directives.
>> >
>> > So, assuming GET+PUT for Artist, GET for WeatherMan and PUT for Actor,
>> > and
>> > having the above said in mind, I would try something like this:
>> >
>> >
>> > <Limit GET PUT>
>> > Require ldap-group cn=Artist, ou=groups, o=company
>> > </Limit>
>> > <Limit GET>
>> >
>> > Require ldap-group cn=WeatherMan, ou=groups, o=company
>> > </Limit>
>> > <Limit PUT>
>> >
>> > Require ldap-group cn=Actor, ou=groups, o=company
>> > </Limit>
>> >
>>
>> I attempted your method and it *does* seem to work as I wanted
>> (thanks!); however, my concern is as per the docs:
>>
>> """
>> The following example applies the access control only to the methods
>> POST, PUT, and DELETE, leaving all other methods unprotected:
>>
>> <Limit POST PUT DELETE>
>> Require valid-user
>> </Limit>
>> """
>>
>> To me that means that GET, CONNECT, OPTIONS, PATCH, PROPFIND,
>> PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK are not restricted at
>> all.
> Correct since those 3 are important ones so you need only some users to
> access them and you dont care about the other methods. Why else would you
> use limit then with Require? By default ALL methods are unprotected. So in
> your case you dont need to give Artist GET access to anything, he already
> has it! The point is to allow access to that user ONLY and thats where Limit
> and Require come into play.
>
>>
>> It also mentions
>>
>> """
>> A <LimitExcept> section should always be used in preference to a
>> <Limit> section when restricting access, since a <LimitExcept> section
>> provides protection against arbitrary methods.
>> """
>>
> Correct BUT only if it matches your user case. Does it???
> Nothing wrong with using Limit if you know exactly what you are doing.
>
>> Perhaps I need to combine the Limit with a LimitExcept so catch all of
>> the other methods not defined?
>>
> Sure go on and try it. Im only giving you some pointers hope you'll come up
> with the solution that suits you your self.
>
Just a follow up, I was able to get what I wanted with this approach.
Hopefully someone else can find this information useful. Thanks for
your pointers, they definitely helped!
#this stanza allows only folks belonging to the "Admin" group to put
#and get into /protected
<Location "/protected">
<Limit GET PUT>
Require ldap-group cn=Admin, ou=groups, o=company
</Limit>
#the following prevents all other methods to the location
<LimitExcept GET PUT>
Order Allow,Deny
Deny from all
</LimitExcept>
</Location>
#The following stanza controls access to the /protected/boballcharlieputs
# location
# Someone from the Artist group can get and put
# Someone from the WeatherMan group can only get
# Someone from the Actor group can only put
<Location "/protected/boballcharlieputs">
<Limit GET>
Require ldap-group cn=WeatherMan, ou=groups, o=company
Require ldap-group cn=Artist, ou=groups, o=company
</Limit>
<Limit PUT>
Require ldap-group cn=Artist, ou=groups, o=company
Require ldap-group cn=Actor, ou=groups, o=company
</Limit>
#The following blocks all other HTTP methods to the location
<LimitExcept GET PUT>
Order Allow,Deny
Deny from all
</LimitExcept>
</Location>
Thanks again,
James
>> Thanks,
>>
>> - James
>>
>>
>> >> I feel like I'm very close to getting this working, but I'm not quite
>> >> grasping how to stack the LimitExcepts properly.
>> >>
>> >> Thanks for your help,
>> >>
>> >>
>> >> James
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>> >> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>> >>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|