All,
I'm having trouble getting <Limit> and Satisfy to work within a <Location>.
I'm using Apache httpd 2.2.22 on Debian Wheezy.
Now, "Satisfy" is not documented to work under <Location> elements, but
also <Limit> is not documented to work under <Location>, and seems to
work without a problem. I was wondering if it's just an accident that
<Limit> works under <Location>, but that Satisfy can't, or the
documentation is inaccurate, or if I simply can't do what I want to do.
I am trying to protect a part of my filesystem that is accessible via
WebDAV. I'm using mod_dav along with mod_auth_ldap and I'd like to be
able to do this:
<Directory /path/to/dav/some/subdir>
<Limit HEAD GET OPTIONS PROPFIND>
Satisfy Any
Require ldap-group cn=some-read-only-group
Require ldap-group cn=some-read-only-other-group
</Limit>
<LimitExcept HEAD GET OPTIONS PROPFIND>
Satisfy Any
Require ldap-group cn=some-read-write-group
</LimitExcept>
</Directory>
The closest thing I'm able to get working is this:
<Location "/dav/Clinical/grants">
<Limit HEAD GET OPTIONS PROPFIND>
Require ldap-group cn=some-read-only-group
</Limit>
<LimitExcept HEAD GET OPTIONS PROPFIND>
Require ldap-group cn=some-read-write-group
</LimitExcept>
</Location>
It looks like I have to use <Location> instead of <Directory> because
<Directory> does not protect directories being handled by mod_dav. Can
someone confirm that?
Whenever I use "Satisfy Any" anywhere, it appears to apply to a
much-wider set of files than is specified in <Limit> or <Location>.
Is there a way to do complicated permissions along with WebDAV?
I'd appreciate any suggestions anyone might have.
While I'm at it, I'd like to know whether path-ordering in httpd.conf
will have any bearing on how the permissions are applied. Ideally, I'd
like to be able to set permissions on a top-level directory, then
override those permissions on a sub-directory -- not necessarily either
widening or narrowing the permissions... I might want to do a little of
both.
-chris
|