Re: mod_authzn_ldap: combining queries to different LDAP layouts

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 22 March 2018 at 09:41, Eric Covener <covener@xxxxxxxxx> wrote:
> On Thu, Mar 22, 2018 at 5:26 AM, sebb <sebbaz@xxxxxxxxx> wrote:
>> Is it possible to use two mod_authzn_ldap checks that need different
>> settings in the same Location container?
>>
>> For example:
>>
>> <Location ...>
>> <RequireAny>
>>   AuthType Basic
>>   AuthBasicProvider ldap
>>   AuthName ...
>>   AuthLDAPurl ...
>>   <RequireAll>
>>     AuthLDAPGroupAttribute member
>>     AuthLDAPGroupAttributeIsDN On
>>     Require ldap-group cn=one,...
>>   </RequireAll>
>>   <RequireAll>
>>     AuthLDAPGroupAttribute memberUid
>>     AuthLDAPGroupAttributeIsDN Off
>>     Require ldap-group cn=two,...
>>   </RequireAll>
>> </RequireAny>
>> </Location>
>>
>> I have tried the above and it looks like only the last instance of
>> AuthLDAPGroupAttribute and AuthLDAPGroupAttributeIsDN are used.
>>
>> The groups one and two are defined differently and need different
>> settings if the validation is to work.
>> The individual Require commands work if used in different <Location> sections.
>>
>> Is there a way to get round this?
>
> I think you need to wrap them in AuthzProviderAlias'es so that they
> technically will look more like separate "configuration sections" so
> the module can actually access the two configs.

Thanks very much.
That works in local testing.

> Note: If you do something similar for directies used during
> Authentication you need the AuthnProviderAlias instead/in addition
> I am a little skeptical that the LDAP example here really works for
> this reason: https://httpd.apache.org/docs/2.4/mod/mod_authz_core.html
>
>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
>> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>>
>
>
>
> --
> Eric Covener
> covener@xxxxxxxxx
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
> For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux