Authentication question: user OR group

Hello,

I've set up ldap authentication and would like to allow access to all
users in groupA and another user userA (not part of the group).

Require user userA
Require ldap-group groupA
Satisfy any

This doesn't work, it accepts any user.

From looking at the documentation, it seems like this simple use case
isn't possible at all.
Can someone please proof me wrong?

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd.apache.org
" from the digest: users-digest-unsubscribe [at] httpd.apache.org
For additional commands, e-mail: users-help [at] httpd.apache.org
swm38 swm38 [ Sa, 25 September 2010 09:14 ] [ ID #2048479 ]

Re: Authentication question: user OR group

On 25 Sep 2010, at 08:14, swm38 swm38 wrote:

> Hello,
>
> I've set up ldap authentication and would like to allow access to all
> users in groupA and another user userA (not part of the group).
>
> Require user userA
> Require ldap-group groupA
> Satisfy any
>
> This doesn't work, it accepts any user.

Yep, seems likely. Re-read the documentation of "Satisfy" for details.

The concept you're looking for is "Authoritative" authorization (you need
to turn it Off to use more than one Require with OR logic).

--
Nick Kew

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd.apache.org
" from the digest: users-digest-unsubscribe [at] httpd.apache.org
For additional commands, e-mail: users-help [at] httpd.apache.org
Nick Kew [ Sa, 25 September 2010 10:04 ] [ ID #2048480 ]

Re: Authentication question: user OR group

2010/9/25, Nick Kew <nick [at] webthing.com>:
> The concept you're looking for is "Authoritative" authorization (you need
> to turn it Off to use more than one Require with OR logic).

I tried setting "AuthzLDAPAuthoritative off", without success, it's
still AND logic (group and user must match).
Reading the documentation, I think it can be used to try to
authenticate the user against multiple auth modules but not enable OR
logic for Require statements.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd.apache.org
" from the digest: users-digest-unsubscribe [at] httpd.apache.org
For additional commands, e-mail: users-help [at] httpd.apache.org
swm38 swm38 [ Sa, 25 September 2010 10:33 ] [ ID #2048481 ]
Webserver » gmane.comp.apache.user » Authentication question: user OR group

Vorheriges Thema: rewrite rules and allowoverride with mass vhost
Nächstes Thema: mod_rewrite loop

[ Startseite ] [ Administrator ] [ Suche ] [ Hinweise ] [ Impressum ]

Powered by FudForum