Re: Groups and other variables?

[Mark Montague <markmont@xxxxxxxxx>]

On Thu, 3 Mar 2005, Brian Hatch wrote:

> > I run several cosign-enabled web servers, and use require-group
> > all the time.  I use both DBM and LDAP groups.  mod_auth_dbm
> > for Apache uses the user information provided by cosign to do
> > the group lookup.
>
> Got an httpd.conf snippet you can share?

Very little cosign-specific here.  Assuming that you have cosign
set up and enabled:

AddModule mod_auth_dbm.c
<Directory />
  AuthDBMGroupFile /path/to/groups/file
  AuthDBMAuthoritative off
</Directory>
<Directory /path/to/pages/to/protect>
  Order allow,deny
  Allow from all
  CosignProtected On
  AuthType Cosign
  SSLRequireSSL
  require group mygroup
</Directory>


> cosign's job is authentication.  Authorization is a separate
> task that takes place outside of cosign after authentication
> occurs.  Authorization is usually handled the same way you
> handle authorization when using any other form of authentication
> other than cosign.
>
> > Quite true - it's just that apache's ldap-based access often does both
> > of these by virtue of the searches it uses.

Have you tried mod_authz_ldap?  I haven't used this myself,
but it's mean explicitly for authorization, not authentication.

                Mark Montague
                LS&A Information Technology
                The University of Michigan
                markmont@xxxxxxxxx