Hello,
We are moving from Apache 1.3 (Solaris) to Apache 2.2.3 (Redhat). We are
trying to leverage the new functionality in the mod_authnz_ldap module to
authenticate/authorize users visting our support site.
I have the authentication piece working and am now trying to authorize
access to certain directories using ldap-attribute.
We have an attribute in our LDAP directory called "groupmembership". Due
to some issues in our back-end Notes/Domino database, values for
groupmembership are like "Employee 1", "Employee 2", "Employee 3",
etc.....but each of these is essentially the same, i.e a member of the
"Employee" group.
So, if I have content that I want to secure to members of the "Employee"
group, I was hoping to use a wildcard like:
require ldap-attribute groupmembership=Employee*
But this is not working. In fact, there's not even an error in the log
file.
Here's the conf file for my test site:
<Directory "/var/www/support-dev2">
# Options Indexes
# AllowOverride None
# Order allow,deny
# Allow from all
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthName "Please enter your webaccount username and password:"
AuthLDAPURL ldap://domino-core.qad.com:389/?cn
require ldap-attribute groupmembership=Employee*
# require valid-user
AuthLDAPBindDN "cn=Domino Ldap,o=QADWEB"
AuthLDAPBindPassword [EMAIL PROTECTED]
</Directory>
If I change ldap-attribute to the following:
require ldap-attribute groupmembership="Employee 6"
it works for any account which specifically has "Employee 6" as a value
for the "groupmembership" field.
But using the wildcard "Employee*" or simply Employee* (no quotes), does
not work.
Can someone set me straight? What am I doing wrong? Is there a
limitation of the wildcard character that I'm not aware of?
Thanks,
Bruce
