On Fri, Mar 22, 2013 at 08:04:08AM -0400, Dmitri Pal wrote:
> 
> In IPA/389 each user has a full list of the DNs of the groups he is a
> member of.
> Also the member attribute in the group is the list of DNs of all members
> and member groups.
> IPA/389 supports a dereference control.
> 
> But the question is: what are you trying to accomplish?

I'm trying to get a RHEL5 server with Apache 2.2 to use LDAP to
authenticate users, and only let the users of select groups have access.
This is configured trough mod_authnz_ldap:

        http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html

The problem I have is that we want to give access to nested groups, and
this doesn't seem possible with mod_authnz_ldap in apache 2.2 (v2.4
supports nesting, not 2.2).

        AuthType Basic
        AuthName "Backend"
        AuthBasicProvider ldap
        AuthzLDAPAuthoritative off
        AuthLDAPUrl 
ldap://ipa1.example.net/cn=accounts,dc=example,dc=net?uid?sub
        AuthLDAPGroupAttributeIsDN off
        AuthLDAPGroupAttribute member
        #Require ldap-filter 
memberof:1.2.840.113556.1.4.1941:=cn=cactiaccess,cn=groups,cn=accounts,dc=example,dc=net
        Require ldap-group cn=tvadmins, cn=groups, cn=accounts, dc=example, 
dc=net
        Require ldap-group cn=nocdrift, cn=groups, cn=accounts, dc=example, 
dc=net
        Require ldap-group cn=systemdrift, cn=groups, cn=accounts, dc=example, 
dc=net

This doesn't work with nested groups, and it's something like that
commented out ldap-filter I'm looking for as a solution..


> If you need to check whether the user is a member of the group it is a
> simple search using member attribute as a filter.

Could you give me an example of such a filter? 


  -jf

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to