[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[users@httpd] Need help restricting LDAP authorization to subdirectory


hi, 
We are working on a new intranet page for our office and I'm having trouble getting one specific thing working. 

Our old intranet was strictly static content in file system directories and permissions were set exclusively on directories.   Unfortunately even though this is a new development, I'm currently stuck on Apache 2.2 on CentOS 6.  

This works on the old one (Apache 2.2 on Solaris 11)
  <Directory /data/www-root/intranet>
    AuthType cas
    AuthLDAPURL ldap://ctg-ldap/o=ncic-ctg?uid?sub
    AuthzLDAPAuthoritative on
    require ldap-group cn=.all-users,ou=Groups,o=ctg.queensu.ca,o=ncic-ctg
  </Directory>
  
  <Directory /data/www-root/intranet/restricted>
    AuthType cas
    AuthLDAPURL ldap://ctg-ldap/o=ncic-ctg?uid?sub
    AuthzLDAPAuthoritative on
    require ldap-group cn=.restricted-group,ou=Groups,o=ctg.queensu.ca,o=ncic-ctg
  </Directory>


The issue is on the new one is using a CMS and we are hoping to restrict access based on Locations, not Directory blocks.

My block is similar to below but it doesn't seem to be taking effect.  It seems because the user has access to that directory that it's passing on the Location restriction.  Am I doing something wrong?

This is running on Apache 2.2 on CentOS 7.
  <Directory /data/www-root/intranet2>
    AuthType cas
    AuthLDAPURL ldap://ctg-ldap/o=ncic-ctg?uid?sub
    AuthzLDAPAuthoritative on
    require ldap-group cn=.all-users,ou=Groups,o=ctg.queensu.ca,o=ncic-ctg
  </Directory>
  
  <Location /restricted>
    AuthType cas
    AuthLDAPURL ldap://ctg-ldap/o=ncic-ctg?uid?sub
    AuthzLDAPAuthoritative on
    require ldap-group cn=.restricted-group,ou=Groups,o=ctg.queensu.ca,o=ncic-ctg
  </Directory>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx