On Thu, Mar 22, 2018 at 5:26 AM, sebb <sebbaz@xxxxxxxxx> wrote: > Is it possible to use two mod_authzn_ldap checks that need different > settings in the same Location container? > > For example: > > <Location ...> > <RequireAny> > AuthType Basic > AuthBasicProvider ldap > AuthName ... > AuthLDAPurl ... > <RequireAll> > AuthLDAPGroupAttribute member > AuthLDAPGroupAttributeIsDN On > Require ldap-group cn=one,... > </RequireAll> > <RequireAll> > AuthLDAPGroupAttribute memberUid > AuthLDAPGroupAttributeIsDN Off > Require ldap-group cn=two,... > </RequireAll> > </RequireAny> > </Location> > > I have tried the above and it looks like only the last instance of > AuthLDAPGroupAttribute and AuthLDAPGroupAttributeIsDN are used. > > The groups one and two are defined differently and need different > settings if the validation is to work. > The individual Require commands work if used in different <Location> sections. > > Is there a way to get round this? I think you need to wrap them in AuthzProviderAlias'es so that they technically will look more like separate "configuration sections" so the module can actually access the two configs. Note: If you do something similar for directies used during Authentication you need the AuthnProviderAlias instead/in addition I am a little skeptical that the LDAP example here really works for this reason: https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx > For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx > -- Eric Covener covener@xxxxxxxxx --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|