Thank you all for your quick answers.

Problem is, i have a few "Webapps" that require LDAP.

I am more or less just using htaccess to have a simple way testing it.

BR
Sebastian

On 22.05.2017 15:32, Maciej Drobniuch wrote:
> Hi Sebastian,
> 
> I do not know the solution for your particular problem. 
> 
> A small hint however, try going with spnego/kerberos. 
> 
> IMHO You should be able to achieve something like this out of the box
> with HBAC rules via the freeipa web interface.
> 
> BR
> M.
> 
> On Mon, May 22, 2017 at 3:19 PM, Sebastian Kösters <skoest...@gmx.de
> <mailto:skoest...@gmx.de>> wrote:
> 
>     Hi all!
> 
>     i have a question about the use of LDAP with .htaccess in freeIPA.
> 
>     i am using freeIPA (V. 4.4.0-14 with CentOS 7). I now wanted to also use
>     .htaccess with LDAP.
> 
>     My first try was this:
> 
>     ---
> 
>     Order allow,deny
>     Allow from all
>     AuthName "test"
>     AuthType Basic
>     AuthBasicProvider ldap
>     AuthLDAPURL "ldaps://ipa01.hostname.de:636
>     <http://ipa01.hostname.de:636>
>     ipa02.hostname.de:636/cn=users,cn=accounts,dc=domain,dc=de?uid
>     <http://ipa02.hostname.de:636/cn=users,cn=accounts,dc=domain,dc=de?uid>"
>     Require valid-user
> 
>     ---
> 
>     This works perfectly fine for users i created in the freeIPA
>     Webinterface.
> 
>     I now have to make some changes. Some Users should be able to login on
>     the Website that uses the .htaccess and some should not be able to
>     login.
> 
>     So i decided to create a group and add all users, which should be allowd
>     to login via .htaccess.
> 
>     So my first try was this:
> 
>     ---
> 
>     [...]
>     Require ldap-attribute gidNumber=101010
>     [...]
> 
>     ---
> 
>     101010 is the gid of my newly created group (webtest). That did not
>     work. If i use the gid of the "main" group of the users, its working
>     fine (the user is definitely part of the new group).
> 
>     I also tried several other ways if found with the help of google, to
>     only allow users which are member of the group to have access, but every
>     attempt failed.
> 
>     Maybe one of you guys is able to help me?!
> 
>     Thank you and best regards
>     Sebastian
>     _______________________________________________
>     FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     To unsubscribe send an email to
>     freeipa-users-le...@lists.fedorahosted.org
>     <mailto:freeipa-users-le...@lists.fedorahosted.org>
> 
> 
> 
> 
> -- 
> Best regards
> 
> Maciej Drobniuch
> Network Security Engineer
> Collective-Sense,LLC
> 
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 

-- 
*!!!!!!!!!!GMX GMX GMX GMX GMX!!!!!!!!!!*
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to