On Fri, Mar 22, 2013 at 08:04:08AM -0400, Dmitri Pal wrote:
> In IPA/389 each user has a full list of the DNs of the groups he is a
> member of.
> Also the member attribute in the group is the list of DNs of all members
> and member groups.
> IPA/389 supports a dereference control.
> But the question is: what are you trying to accomplish?

I'm trying to get a RHEL5 server with Apache 2.2 to use LDAP to
authenticate users, and only let the users of select groups have access.
This is configured trough mod_authnz_ldap:


The problem I have is that we want to give access to nested groups, and
this doesn't seem possible with mod_authnz_ldap in apache 2.2 (v2.4
supports nesting, not 2.2).

        AuthType Basic
        AuthName "Backend"
        AuthBasicProvider ldap
        AuthzLDAPAuthoritative off
        AuthLDAPGroupAttributeIsDN off
        AuthLDAPGroupAttribute member
        #Require ldap-filter 
        Require ldap-group cn=tvadmins, cn=groups, cn=accounts, dc=example, 
        Require ldap-group cn=nocdrift, cn=groups, cn=accounts, dc=example, 
        Require ldap-group cn=systemdrift, cn=groups, cn=accounts, dc=example, 

This doesn't work with nested groups, and it's something like that
commented out ldap-filter I'm looking for as a solution..

> If you need to check whether the user is a member of the group it is a
> simple search using member attribute as a filter.

Could you give me an example of such a filter? 


Freeipa-users mailing list

Reply via email to