Have a look at SetEnvIf and mod_rewrite where you can set enviroment variable based on something in the headers, uri and/or request string. Not sure if yo can use that var inside mod_authz_ldap though. On Feb 24, 2012 5:48 AM, "J.Lance Wilkinson" <jl...@psu.edu> wrote:
> I've just been asked to implement in Apache HTTPD a restricted access area > that drives off membership in an LDAP group. > > I have production services running on Solaris 10 using > Apache/2.2.6.Eventually these will be replaced with servers running on RHEL 6 > using > Apache/2.2.15, but that's not likely to be availble before mid-year, while > this need to control access to some directories by LDAP group membership > exists NOW. > > I already have this kind of setup that allows me to simplify my access > control: > > <Location ~ "^/(.*)/intranet(.html|/(.*)?)**$"> > CosignProtected On > AuthType Cosign > AuthLDAPURL ldap://a.b.c.d/ou=People,dc=c,**dc=d > AuthLDAPBindDN "uid=FullAccess,ou=bindings,**dc=c,dc=d" > AuthLDAPBindPassword "password56789" > require ldap-filter uid=* > Order allow,deny > Allow from all > </Location> > > Any request that ends with "/intranet.html" or contains "/intranet/" in > the path has our single signon solution Cosign forced upon it. This forces > any attempted access to any path containing "intranet" to provide > credentials authenticated by the institution as a whole. > > Further, it then enforces that the authenticated User ID be found matching > a uid entry in an LDAP server. > > Now I know that I can restrict a given explicit path to a specific LDAP > group, > but as the feature becomes more widely recognized by my website authors, I > can see departments left and right asking for the feature, and I don't want > to be writing a new custom stanza for each department every week or so. > I'd like to make it dynamic, so one stanza will cover the current need and > all similar needs in the future just by creating the a new directory that > matches the LOCATION pattern: > > > <Location ~ "^/(.*)/restricted(.html|/(.*)**?)$"> > CosignProtected On > AuthType Cosign > AuthLDAPURL ldap://a.b.c.d/ou=People,dc=c,**dc=d > AuthLDAPBindDN "uid=FullAccess,ou=bindings,**dc=c,dc=d" > AuthLDAPBindPassword "password56789" > ## somehow get the value for the group from the URI supplied > require ldap-group cn=A.DYNAMICALLY.IDENTIFIED.**LDAP.GROUP > Order allow,deny > Allow from all > </Location> > > Where the LDAP group required is driven by something in the URI. What's > desired is a way to caputre the desired LDAP GROUP from the URI, so all > the website authors need to do is to create content with a path that > contains "/restricted/THIS.LDAP.GROUP/"**, and then USE that piece of the > URI as the group to require. > > I'm presuming that there's some way, using a mod_rewrite rule, to extract > the desired information from the URI and stash it, say, in an environment > variable. The task then is to somehow use that extracted value to impose > the appropriate restrictions in the require directive. Thus, website > authors create a directory path ..../restricted/THIS.LDAP.**GROUP/ > content.that.is.**restricted.html and the required group would > automatically be cn=THIS.LDAP.GROUP for that directory and below. > > Is there any way to do this without having to rewrite or add on to > mod_authnz_ldap ? Maybe some way to inject the desired group into the > ldap-filter format of the require directive? > > -- > J.Lance Wilkinson ("Lance") InterNet: lance.wilkin...@psu.edu > Systems Design Specialist - Lead Phone: (814) 865-4870 > Digital Library Technologies FAX: (814) 863-3560 > E3 Paterno Library > Penn State University > University Park, PA 16802 > > ------------------------------**------------------------------**--------- > The official User-To-User support forum of the Apache HTTP Server Project. > See > <URL:http://httpd.apache.org/**userslist.html<http://httpd.apache.org/userslist.html>> > for more info. > To unsubscribe, e-mail: > users-unsubscribe@httpd.**apache.org<users-unsubscr...@httpd.apache.org> > " from the digest: > users-digest-unsubscribe@**httpd.apache.org<users-digest-unsubscr...@httpd.apache.org> > For additional commands, e-mail: users-h...@httpd.apache.org > >
