Re: CentOS 5 / Apache 2.2 / mod_authnz_ldap issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Eric -

Thanks for the response, i do see how the multiple requires act as an OR statement. The only issue that i am facing now is the scenario I mentioned above, will apache not let me do something like:

<Directory /data/folder>
#SetHandler fastcgi-script
Options ExecCGI FollowSymLinks
AllowOverride None

AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Secret"
AuthLDAPURL "ldap://test.mydomain.com:3268/DC=mydomain,DC=internal?sAMAccountName?sub?(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=internal)" NONE
AuthLDAPBindDN "CN=aduser,OU=ENT SERVICE ACCOUNTS,DC=mydomain,DC=internal"
AuthLDAPBindPassword mysupersecretpassword

Require ldap-group CN=users,OU=ENT SECURITY GROUPS,DC=mydomain,DC=internal
</Directory>

<Directory /data/folder/projects/a>
#SetHandler fastcgi-script
Options ExecCGI FollowSymLinks
AllowOverride None

AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "Secret"
AuthLDAPURL "ldap://test.mydomain.com:3268/DC=mydomain,DC=internal?sAMAccountName?sub?(objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=internal)" NONE
AuthLDAPBindDN "CN=aduser,OU=ENT SERVICE ACCOUNTS,DC=mydomain,DC=internal"
AuthLDAPBindPassword mysupersecretpassword

Require ldap-group CN=users,OU=ENT SECURITY GROUPS,DC=mydomain,DC=internal
Require ldap-group CN=contractors,OU=ENT SECURITY GROUPS,DC=mydomain,DC=internal
</Directory>

It appears if i try to access http://projects/a, using the contractor user it doesn't take the authentication, almost like apache is only considering the Directory state of /data/folder, and ignoring completely my 2nd Directory statement. I get an error in my logs of:

[Thu Apr 04 18:22:17 2013] [error] [client 10.0.0.10] access to /projects/a/ failed, reason: require directives present and no Authoritative handler.

Anyways thanks for your response.. I am trying to figure out how Apache deals with multiple directory statements inside the same directory tree.

Devin


On Thu, Apr 4, 2013 at 5:11 PM, Eric Covener <covener@xxxxxxxxx> wrote:
>
> I just wanted to see if i could give multiple groups access to the same
> folder but when i try to do that Apache stops prompting for a password and
> authentication breaks all together.

"Satisfy any" means either authorization (Require) or host-based
access control is required. You didn't configure any of the latter, so
access is granted.

>
> So question I have two fold, first is it not possible to allow multiple
> groups with mod_authnz_ldap to the same folder and use Satisfy any?? So even
> if i get the multiple group authentication working, is it going to be
> possible to say give permission with Apache / LDAP like i have explained
> below?

Multiple requires in 2.2 are OR'ed together.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux