How do I require more than one Require ldap-* directive match?

------_=_NextPart_001_01CAD5AE.48BE7E7D
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

How do I configure mod_authnz_ldap to require that I meet multiple
authorization conditions [i.e. user must be a member of an LDAP group
AND also posses one or more attributes]. As it is, the code returns
"OK" as soon as the first "Require ldap-*" directive succeeds,
short-circuiting subsequent require directives.

If I only had to match on attributes, I could use a Require llda-filter
directive, but needing to search for both a group and an attribute stops
me cold.

-Pete

------_=_NextPart_001_01CAD5AE.48BE7E7D
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable




charset=3Dus-ascii">
6.5.7653.38">

How do I configure mod_authnz_ldap to =
require that I meet multiple authorization conditions [i.e. user must be =
a member of an LDAP group AND also posses one or more attributes].  =
As it is, the code returns "OK" as soon as the first =
"Require ldap-*" directive succeeds, short-circuiting =
subsequent require directives.

If I only had to match on attributes, I =
could use a Require llda-filter directive, but needing to search for =
both a group and an attribute stops me cold.

-Pete

RE: How do I require more than one Require ldap-* directive match?

------_=_NextPart_001_01CAD5B1.D3FFBF95
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I've looked at the mod_authnz_ldap code and the documentation. "Out of
the box" it sems like there's no way to turn the "OR" behavior of
Require ldap-* lines into "AND." I've been trying as hard as I can to
avoid creating not only a new provider type but also a new provider.
Unfortunately, the more I dig into mod_authnz_ldap the more it seems
like it's not quite what I need. Is there a "right" way to do this?
One thought is creating a hook that "fakes out" check_user_access by
dynamically updating the array of requires to "present" one ldap-*
require line at a time, then aggregating the results into a single
return value.
=20
I've seen some pretty subtle tricks from all of you--I'm hoping that
someone out there has a better option than building up a new provider.
=20
--Pete
=20
________________________________

From: Thomas, Peter [mailto:pthomas@HPTI.com]=20
Sent: Tuesday, April 06, 2010 1:26 PM
To: users@httpd.apache.org
Subject: [users@httpd] How do I require more than one Require ldap-*
directive match?



How do I configure mod_authnz_ldap to require that I meet
multiple authorization conditions [i.e. user must be a member of an LDAP
group AND also posses one or more attributes]. As it is, the code
returns "OK" as soon as the first "Require ldap-*" directive succeeds,
short-circuiting subsequent require directives.

If I only had to match on attributes, I could use a Require
llda-filter directive, but needing to search for both a group and an
attribute stops me cold.

-Pete=20


------_=_NextPart_001_01CAD5B1.D3FFBF95
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable



charset=3Dus-ascii">

style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px =
solid; MARGIN-RIGHT: 0px">

How do I configure mod_authnz_ldap to =
require that=20
I meet multiple authorization conditions [i.e. user must be a member =
of an=20
LDAP group AND also posses one or more attributes].  As it is, =
the code=20
returns "OK" as soon as the first "Require ldap-*" directive succeeds, =

short-circuiting subsequent require directives.

If I only had to match on attributes, I =
could use a=20
Require llda-filter directive, but needing to search for both a group =
and an=20
attribute stops me cold.

-Pete =

Re: How do I require more than one Require ldap-*

On Tue, Apr 6, 2010 at 1:50 PM, Thomas, Peter wrote:
> I've looked at the mod_authnz_ldap code and the documentation.=A0 "Out of=
the
> box" it sems like there's no way to turn the "OR" behavior of Require lda=
p-*
> lines into "AND."=A0 I've been trying as hard as I can to avoid creating =
not
> only a new provider type but also a new provider. Unfortunately, the more=
I
> dig into mod_authnz_ldap the more it seems like it's not quite what I nee=
d.
> Is there a "right" way to do this?=A0 One thought is creating a hook that
> "fakes out" check_user_access by dynamically updating the array=A0of requ=
ires
> to "present" one ldap-* require line at a time, then aggregating the resu=
lts
> into a single return value.
>
> I've seen some pretty subtle tricks from all of you--I'm hoping that some=
one
> out there has a better option than building up a new provider.
>

This comes for free in trunk. I'd review a 2.2.x patch that just
changed the way the loop operates to respect an "AND" flag -- my guess
is that it is not very hard but I am too swamped to play with it

The caveat for the doc would would be that it only made sense in an
all ldap-* configuration.

This AND behavior for LDAP authz is frequently requested.


--=20
Eric Covener
covener@gmail.com

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: How do I require more than one Require ldap-* directive match?

Thanks. I'm in a production environment, so going to the trunk will be =
a tough sell. Ryan Patrick offered up a complete patch in 2005 to allow =
"and" -- reused "Satisfy all", which raised some controversy.

I'll revive/update his patch suggestion, but add a one-off flag for =
"AuthzLDAPSatisfy all" [defaulting to "any" which yields the current OR =
behavior].
At the time, Graham L. didn't like the one-off flag, as it was =
asymmetric with other modules. I don't see that as an overwhelming =
concern.

--Pete

> -----Original Message-----
> From: Eric Covener [mailto:covener@gmail.com]=20
> Sent: Tuesday, April 06, 2010 3:57 PM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] How do I require more than one=20
> Require ldap-* directive match?
>=20
> On Tue, Apr 6, 2010 at 1:50 PM, Thomas, Peter=20
> wrote:
> > I've looked at the mod_authnz_ldap code and the=20
> documentation.=A0 "Out=20
> > of the box" it sems like there's no way to turn the "OR"=20
> behavior of=20
> > Require ldap-* lines into "AND."=A0 I've been trying as hard=20
> as I can to=20
> > avoid creating not only a new provider type but also a new=20
> provider.=20
> > Unfortunately, the more I dig into mod_authnz_ldap the more=20
> it seems like it's not quite what I need.
> > Is there a "right" way to do this?=A0 One thought is creating a hook =

> > that "fakes out" check_user_access by dynamically updating=20
> the array=A0
> > of requires to "present" one ldap-* require line at a time, then=20
> > aggregating the results into a single return value.
> >
> > I've seen some pretty subtle tricks from all of you--I'm=20
> hoping that=20
> > someone out there has a better option than building up a=20
> new provider.
> >
>=20
> This comes for free in trunk. I'd review a 2.2.x patch that=20
> just changed the way the loop operates to respect an "AND"=20
> flag -- my guess is that it is not very hard but I am too=20
> swamped to play with it
>=20
> The caveat for the doc would would be that it only made sense=20
> in an all ldap-* configuration.
>=20
> This AND behavior for LDAP authz is frequently requested.
>=20
>=20
> --
> Eric Covener
> covener@gmail.com
>=20
> ------------------------------------------------------------ ---------
> The official User-To-User support forum of the Apache HTTP=20
> Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>=20
>=20

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org