I am currently running CentOS 5.5 running httpd-2.2.3-76 and using mod_ldap and mod_authnz_ldap to authenticate users against Active Directory. The problem that I am running into is the web application that i am using with Apache has no built in security abilities. So we have been using Apache's HTTP Authentication to password protect the site. The issue I am having now is before we had 1 single group that was allowed full access to the entire site. Now i have a second group that needs access to only a few folders on the site.
Current directory structure is like this.
Directory Structure like :
/data/folder { root folder for web tree }
/data/folder/projects/
/data/folder/projects/a
/data/folder/projects/b
Currently we have a Directory statement in Apache that looks like this:
<Directory /data/folder>
#SetHandler fastcgi-script
Options ExecCGI FollowSymLinks
AllowOverride None
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Secret"
AuthLDAPURL "ldap://
test.mydomain.com:3268/DC=mydomain,DC=internal?sAMAccountName?sub?(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=internal)" NONE
AuthLDAPBindDN "CN=aduser,OU=ENT SERVICE ACCOUNTS,DC=mydomain,DC=internal"
AuthLDAPBindPassword mysupersecretpassword
Require ldap-group CN=users,OU=ENT SECURITY GROUPS,DC=mydomain,DC=internal
</Directory>
This configuration works great for giving all users access to the entire site, I now have a "contractors" group that i need to give access to only a certain number of folders. I noticed that if i modify my Directory statement and try to add several directory statements that are nested inside of each other things don't seem to work.
I have tried to do something like:
<Directory /data/folder>
#SetHandler fastcgi-script
Options ExecCGI FollowSymLinks
AllowOverride None
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Secret"
AuthLDAPURL
"ldap://
test.mydomain.com:3268/DC=mydomain,DC=internal?sAMAccountName?sub?(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=internal)"
NONE
AuthLDAPBindDN "CN=aduser,OU=ENT SERVICE ACCOUNTS,DC=mydomain,DC=internal"
AuthLDAPBindPassword mysupersecretpassword
Require ldap-group CN=users,OU=ENT SECURITY GROUPS,DC=mydomain,DC=internal
Require ldap-group CN=contractors,OU=ENT SECURITY GROUPS,DC=mydomain,DC=internal
Satisfy any
</Directory>
I just wanted to see if i could give multiple groups access to the same folder but when i try to do that Apache stops prompting for a password and authentication breaks all together.
So question I have two fold, first is it not possible to allow multiple groups with mod_authnz_ldap to the same folder and use Satisfy any?? So even if i get the multiple group authentication working, is it going to be possible to say give permission with Apache / LDAP like i have explained below?
/data/folder { only users access }
/data/folder/project/a { users && contractor accesss }
/data/folder/project/b { users && contractor access }
/data/folder/project/c { users access only }}
Any help would be appreciated, i have messed with this for hours and can't seem to get it working.
Thanks much.
Devin
