httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Teddy Brown <tbr...@ctg.queensu.ca>
Subject [users@httpd] Need help restricting LDAP authorization to subdirectory
Date Tue, 12 Jun 2018 14:23:45 GMT
hi, 
We are working on a new intranet page for our office and I'm having trouble getting one specific
thing working. 

Our old intranet was strictly static content in file system directories and permissions were
set exclusively on directories.   Unfortunately even though this is a new development, I'm
currently stuck on Apache 2.2 on CentOS 6.  

This works on the old one (Apache 2.2 on Solaris 11)
  <Directory /data/www-root/intranet>
    AuthType cas
    AuthLDAPURL ldap://ctg-ldap/o=ncic-ctg?uid?sub
    AuthzLDAPAuthoritative on
    require ldap-group cn=.all-users,ou=Groups,o=ctg.queensu.ca,o=ncic-ctg
  </Directory>
  
  <Directory /data/www-root/intranet/restricted>
    AuthType cas
    AuthLDAPURL ldap://ctg-ldap/o=ncic-ctg?uid?sub
    AuthzLDAPAuthoritative on
    require ldap-group cn=.restricted-group,ou=Groups,o=ctg.queensu.ca,o=ncic-ctg
  </Directory>


The issue is on the new one is using a CMS and we are hoping to restrict access based on Locations,
not Directory blocks.

My block is similar to below but it doesn't seem to be taking effect.  It seems because the
user has access to that directory that it's passing on the Location restriction.  Am I doing
something wrong?

This is running on Apache 2.2 on CentOS 7.
  <Directory /data/www-root/intranet2>
    AuthType cas
    AuthLDAPURL ldap://ctg-ldap/o=ncic-ctg?uid?sub
    AuthzLDAPAuthoritative on
    require ldap-group cn=.all-users,ou=Groups,o=ctg.queensu.ca,o=ncic-ctg
  </Directory>
  
  <Location /restricted>
    AuthType cas
    AuthLDAPURL ldap://ctg-ldap/o=ncic-ctg?uid?sub
    AuthzLDAPAuthoritative on
    require ldap-group cn=.restricted-group,ou=Groups,o=ctg.queensu.ca,o=ncic-ctg
  </Directory>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message