12

It is possible to use a portion of the request URI as an input into mod_authnz_ldap's Require ldap-group directive?

I'm trying to dynamically check access to a bunch of different project directories, all under http://testserver.com/projects/, such that a user accessing /projects/abc would be checked for membership in cn=abc,ou=groups,dc=test. Ideally I'd like to do this without creating a separate Location directive for each project, since there could well be hundreds of them.

I have come up with this, which illustrates the general concept, but which doesn't work (project_name doesn't retrive the actual variable contents):

<Location /projects>
    SetEnvIf Request_URI "/projects/([-a-z0-9A-Z_]+)/" project_name=$1

    AuthType Basic
    AuthBasicProvider ldap
    AuthName "Restricted Resource - SVN (LDAP)"
    AuthLDAPURL "ldap://127.0.0.1:389/dc=test?uid"
    AuthLDAPGroupAttributeIsDN off
    AuthLDAPGroupAttribute memberUid
    Require ldap-group cn=%{project_name},ou=groups,dc=test
</Location>

Help?

JJD
  • 77
  • 1
  • 10
Chris
  • 405
  • 4
  • 8
  • Not possible. Your best bet is to try something like [mod_auth_external](http://code.google.com/p/mod-auth-external/). – h0tw1r3 Jul 23 '11 at 19:14

3 Answers3

1

In Apache 2.4.8 and later, this is now possible:

SetEnvIf Request_URI "/projects/([-a-z0-9A-Z_]+)/" project_name=$1
Require ldap-group cn=%{env:project_name}, ou=groups, dc=test

Note that the spaces in the Require directive may be needed. See the mod_authnz_ldap documentation, especially example 5.

Thanks to Buri for finding the answer to this old question in Apache2 ldap authorization with dynamic group name based on server name.

Andrew Schulman
  • 8,561
  • 21
  • 31
  • 47
0

I believe Apache 2.4 has more to offer in this area than 2.2... might be worth looking at.

Alternatively, it may be worth looking at building your own custom module; it's not as scary as it seems -- assuming you are comfortable in C.

Similarly, doesn't mod_perl offer a lot in extending Apache via hooks?

Cameron Kerr
  • 3,919
  • 18
  • 24
0

You could try to add a filter to the AuthLDAPURL parameter : https://httpd.apache.org/docs/2.4/en/mod/mod_authnz_ldap.html#authldapurl

Maybe something like :

AuthLDAPURL "ldap://127.0.0.1:389/dc=test?uid?sub?(memberof=cn=%{project_name},ou=groups,dc=test)"
Ben-Banso
  • 11
  • 3