Eric Covener wrote:
LDAP attributes can be loaded into AUTHENTICATE_* vars and can be
queried, but you might not be able to express the rules you need using
attributes only.
Not sure exactly what you're saying here... "AUTHENTICATE_* vars"
are those environment variables or something? I've never seen them
in the environment presented to a CGI script or a PHP script. Are
they environment variables that can be used in other Apache directives?
As I currently use things like %{REQUEST_URI} in a rewrite rule or
rewrite condition? If that's the case, what gets substituted for
the "*"? Is it AUTHENTICATE_attribute like AUTHENTICATE_UID or
AUTHENTICATE_MAIL, substituting LDAP attributes for the wildcard,
or is there some specific vocabulary of substitutions for the
wildcard? Is there a listing or documentation someplace that
specifically addresses this that I've missed?
Some directory servers allow group membership to be read as a "magic"
attribute in LDAP. Notably, tivoli directory server allows an
ibm-allGroups element to be used (result only, not filtered on) which
you could them find a way to check more dynamically (setenvif, allow
from env=...).
I think we may be using those features on our university-wide
LDAP server here, but not in that manner. I have used at least one
ibm-* attribute in other capacities, but with custom developed
code in a CGI script, not at the Apache authentication/authorization
level.
--
J.Lance Wilkinson ("Lance") InterNet: [email protected]
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [email protected]
" from the digest: [email protected]
For additional commands, e-mail: [email protected]