Re: Group authentication to AD

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


>There's require ldap-filter!
>You should definitely take a look at those.
>http://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html#reqfilter
>That should help you ask for pretty much *anything*

I have require ldap-filters configured in my location block, but it is not filtering.  It is still letting any valid userid through.
My location block is configured as below:
<Location /test_repo>
dav svn
SVNPath /disk01/home/test_repo
AuthType Basic
AuthName "Subversion Repository"
AuthBasicProvider ldap-FCGNET ldap-VIET
AuthzLDAPAuthoritative on
Require valid-user
Require ldap-group CN=Active_Directory Group Name,OU=U.S.,OU=Groups,DC=domain,DC=com
#Require ldap-user pmoss
</Location>
 
I've configured my aliases, in my http.conf file, as follows:
<AuthnProviderAlias ldap ldap-FCGNET>
        AuthLDAPBindDN FCGNET\account_name
        AuthLDAPBindPassword xxxxxxxxxx
        AuthLDAPURL ldap://server.domain.com:3268/DC=domain,DC=com?samAccountName?sub?(objectCategory=person)
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap-VIET>
        AuthLDAPBindDN "CN=account_name,OU=Service Accounts,OU=Users,OU=Production,DC=domain,DC=com"
        AuthLDAPBindPassword xxxxxxxxx
        AuthLDAPURL ldap://server.domain.com:3268/DC=domain,DC=com?samAccountName?sub?(objectCategory=person)
</AuthnProviderAlias>



PATI MOSS
System Engineer Sr. Professional
CSC


From: Igor Galić <i.galic@xxxxxxxxxxxxxx>
To: users@xxxxxxxxxxxxxxxx
Date: 11/19/2010 08:46 AM
Subject: Re: Group authentication to AD





> >
> > My goal(s):
> > 1. Allow only 1 specific, Active Directory, group access to the
> > repository.
>
> That should work out fine.
>
> > 2. Simultaneously, allow a single user account, that is not a
> member
> > of the group, access to the repository
>
> Given that the condition is ``Simultaneously'' I'm not entirely sure
> this will work. It might be pure chance.
> Only starting 2.3 there where possibilities added to make this kind
> of thing easily configurable, i.e.: <RequireAny> and <RequireAll>
>
> http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html#requireall
> http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html#requireany
> http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html#logic

Silly me. Took me a while to remember about this.
There's require ldap-filter!
You should definitely take a look at those.
http://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html#reqfilter
That should help you ask for pretty much *anything*

i

--
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@xxxxxxxxxxxxxx
URL: http://brainsware.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux