Use Require ldap-group <groupname>

Apache's ldap implementation supports looking up group membership.

The attribute on the group is member



Verzonden vanaf mijn Samsung-apparaat


-------- Oorspronkelijk bericht --------
Van: Sebastian Kösters <skoest...@gmx.de>
Datum: 22-05-17 16:11 (GMT+01:00)
Aan: Peter Fern <free...@0xc0dedbad.com>, freeipa-users@lists.fedorahosted.org
Onderwerp: [Freeipa-users] Re: freeipa ldap + htaccess question

Hi,

i also already tried this :) ...also with the groups DN (which i found
via ldapsearch).

Sadly it did not help.

BR

On 22.05.2017 16:05, Peter Fern wrote:
> The gidNumber attribute is just the primary group.  You won't see any
> supplementary groups there, just like /etc/passwd.  Use memberOf with
> the group's DN or something for supplimentary groups.
>
> If you want to see what the data looks like in the directory, just use
> ldapsearch - this is all standard LDAP stuff, you just need to
> understand the schemas that are used.
>
> On 22/05/17 23:19, Sebastian Kösters wrote:
>> Hi all!
>>
>> i have a question about the use of LDAP with .htaccess in freeIPA.
>>
>> i am using freeIPA (V. 4.4.0-14 with CentOS 7). I now wanted to also use
>> .htaccess with LDAP.
>>
>> My first try was this:
>>
>> ---
>>
>> Order allow,deny
>> Allow from all
>> AuthName "test"
>> AuthType Basic
>> AuthBasicProvider ldap
>> AuthLDAPURL "ldaps://ipa01.hostname.de:636
>> ipa02.hostname.de:636/cn=users,cn=accounts,dc=domain,dc=de?uid"
>> Require valid-user
>>
>> ---
>>
>> This works perfectly fine for users i created in the freeIPA Webinterface.
>>
>> I now have to make some changes. Some Users should be able to login on
>> the Website that uses the .htaccess and some should not be able to login.
>>
>> So i decided to create a group and add all users, which should be allowd
>> to login via .htaccess.
>>
>> So my first try was this:
>>
>> ---
>>
>> [...]
>> Require ldap-attribute gidNumber=101010
>> [...]
>>
>> ---
>>
>> 101010 is the gid of my newly created group (webtest). That did not
>> work. If i use the gid of the "main" group of the users, its working
>> fine (the user is definitely part of the new group).
>>
>> I also tried several other ways if found with the help of google, to
>> only allow users which are member of the group to have access, but every
>> attempt failed.
>>
>> Maybe one of you guys is able to help me?!
>>
>> Thank you and best regards
>> Sebastian
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>

--
*!!!!!!!!!!GMX GMX GMX GMX GMX!!!!!!!!!!*
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to