Re: [users@httpd] Group authentication to AD

Patricia A Moss Fri, 19 Nov 2010 07:06:44 -0800

>There's require ldap-filter!
>You should definitely take a look at those.
>http://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html#reqfilter
>That should help you ask for pretty much *anything*


I have require ldap-filters configured in my location block, but it is not 
filtering.  It is still letting any valid userid through.
My location block is configured as below:
<Location /test_repo>
dav svn
SVNPath /disk01/home/test_repo
AuthType Basic
AuthName "Subversion Repository"
AuthBasicProvider ldap-FCGNET ldap-VIET
AuthzLDAPAuthoritative on
Require valid-user
Require ldap-group CN=Active_Directory Group 
Name,OU=U.S.,OU=Groups,DC=domain,DC=com
#Require ldap-user pmoss
</Location>
 
I've configured my aliases, in my http.conf file, as follows:
<AuthnProviderAlias ldap ldap-FCGNET>
        AuthLDAPBindDN FCGNET\account_name
        AuthLDAPBindPassword xxxxxxxxxx
        AuthLDAPURL 
ldap://server.domain.com:3268/DC=domain,DC=com?samAccountName?sub?(objectCategory=person)
</AuthnProviderAlias>
<AuthnProviderAlias ldap ldap-VIET>
        AuthLDAPBindDN "CN=account_name,OU=Service 
Accounts,OU=Users,OU=Production,DC=domain,DC=com"
        AuthLDAPBindPassword xxxxxxxxx
        AuthLDAPURL 
ldap://server.domain.com:3268/DC=domain,DC=com?samAccountName?sub?(objectCategory=person)
</AuthnProviderAlias>



PATI MOSS
System Engineer Sr. Professional
CSC



From:
Igor Galić <i.ga...@brainsware.org>
To:
users@httpd.apache.org
Date:
11/19/2010 08:46 AM
Subject:
Re: [us...@httpd] Group authentication to AD




> > 
> > My goal(s):
> > 1. Allow only 1 specific, Active Directory, group access to the
> > repository.
> 
> That should work out fine.
> 
> > 2. Simultaneously, allow a single user account, that is not a
> member
> > of the group, access to the repository
> 
> Given that the condition is ``Simultaneously'' I'm not entirely sure
> this will work. It might be pure chance.
> Only starting 2.3 there where possibilities added to make this kind
> of thing easily configurable, i.e.: <RequireAny> and <RequireAll>
> 
> http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html#requireall
> http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html#requireany
> http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html#logic

Silly me. Took me a while to remember about this.
There's require ldap-filter!
You should definitely take a look at those.
http://httpd.apache.org/docs/current/mod/mod_authnz_ldap.html#reqfilter
That should help you ask for pretty much *anything*

i

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.ga...@brainsware.org
URL: http://brainsware.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] Group authentication to AD

Reply via email to