12-11-2015
Getting apache to see a LDAP group membership change
trying to implement authz to a webpage using require ldap-group. It works, except I need to do apachectl restart before the server will observe an add or a delete to the group.
Seems like apache is acquiring the group membership at startup & caching it.
It's a static group.
I have apache 2.2 on AIX and TDS LDAP.
We want to automate group member adds/deletes, which implies that we need to automate refreshing the server's knowledge of the group. Possible solutions I've wondered about
:
- using dynamic groups (membership would be evaluated on every authz rather than the principal/user being compared against a cached list). This may be conceptually correct but is not an option given our schema.
- doing something fugly like require ldap-attribute is-member-yatta-blah. I should be able to use require ldap-group.
- driving a apachectl refresh out of the add/delete automation. I'd do it with ssh to a public-key-protected login on the servers running apache, as long as that doesn't make our security heads hurl.
- something in HTML that tells the server to refresh its cached image of group contents ?
ideas appreciated
10 More Discussions You Might Find Interesting
1. Solaris
On Solaris, a user is limited to being a member of a maximum of 16 groups. Could someone tell me where this limit comes from, i.e. is it NIS, or Solaris, or NFS that is imposing this limit?
What is the work-around to remove this limitation? (4 Replies)
Discussion started by: son_t
4 Replies
2. Red Hat
I can't seem to make sense of this.
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.2 Beta (Tikanga)
$
$ mount
/dev/sda2 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on... (6 Replies)
Discussion started by: dfinn
6 Replies
3. Emergency UNIX and Linux Support
Hi all
We have squid-2.5.STABLE11-3.FC4 running in our environment.
LDAP authentication works fine. Active Directory 2003 Users are prompted to enter credentials every time they access the net. The system works perfectly, but I need to configure Squid to block users in a specific AD group.... (1 Reply)
Discussion started by: wbdevilliers
1 Replies
4. SuSE
Hi,
I have configured ldap client on openSUSE 11.3 with yast2 config.
Since I am able to get list of all users through getent, it seems configuration done properly.But while logging in with ldap id its prompting for password change.
login as: testuser
Using keyboard-interactive... (1 Reply)
Discussion started by: tuxian
1 Replies
5. Solaris
I have a test environment which is running RedHat 6.5 Identity management. On the lab network are two Solaris 10 (U11) machines. I can successfully log into the S10 machines using the ldap username/passwords. However, I have a problem with groups and although I found through an internet search one... (3 Replies)
Discussion started by: cjhilinski
3 Replies
6. HP-UX
HI guys,
I've come to this great community with a problem that everything that I could find is related to a bug, in the ldap code in the apache but nothing else.
My problem happens after installing the Apache from HP software depo, it installs sucessfully and everything, but when I setup a... (0 Replies)
Discussion started by: feliper
0 Replies
7. UNIX and Linux Applications
I need to write LDAP group query where I need to find if a particular user is a member of a 2 specific Groups. This is LDAP Novell edirectory implementation.
Below are the details -
================
LDIF entry for OndotAPI group
dn: cn=OndotAPI,ou=Groups,o=CNS
changetype: add ... (0 Replies)
Discussion started by: jhamaks
0 Replies
8. UNIX for Advanced & Expert Users
Has anyone attempted to define GPO / HBAC policies in Windows Server 2012 that could be respected by Kerberos/LDAP on AIX?
I'm looking to associate servers to groups so that when a user part of a group tries to login to a host not associated with that group, it would be denied. This would allow... (3 Replies)
Discussion started by: Devyn
3 Replies
9. Web Development
Hi..
I have very limited knowledge on LDAP and its configuration and but I have been trying to figure out one issue that takes place when I am running the program that is written in php, but so far its unsuccessful.
The server, I am working on is ldap server, which is running on Apache. After... (1 Reply)
Discussion started by: GomathiUoM
1 Replies
10. Solaris
Hello all,
Solaris 11.
Branch: 0.175.3.35.0.6.0
Asking for some assistance in trying to understand how Apache24 works with svcadm.
I used:
svccfg -s network/http:apache24
listprop
setprop start/user=<rabbit>
setprop start/group=<pod>
This is also set in... (1 Reply)
Discussion started by: smiloo
1 Replies
LEARN ABOUT CENTOS
groupmems
GROUPMEMS(8) System Management Commands GROUPMEMS(8)
NAME
groupmems - administer members of a user's primary group
SYNOPSIS
groupmems -a user_name | -d user_name | [-g group_name] | -l | -p
DESCRIPTION
The groupmems command allows a user to administer his/her own group membership list without the requirement of superuser privileges. The
groupmems utility is for systems that configure its users to be in their own name sake primary group (i.e., guest / guest).
Only the superuser, as administrator, can use groupmems to alter the memberships of other groups.
OPTIONS
The options which apply to the groupmems command are:
-a, --add user_name
Add an user to the group membership list.
If the /etc/gshadow file exist, and the group has no entry in the /etc/gshadow file, a new entry will be created.
-d, --delete user_name
Delete a user from the group membership list.
If the /etc/gshadow file exist, the user will be removed from the list of members and administrators of the group.
If the /etc/gshadow file exist, and the group has no entry in the /etc/gshadow file, a new entry will be created.
-g, --group group_name
The superuser can specify which group membership list to modify.
-h, --help
Display help message and exit.
-l, --list
List the group membership list.
-p, --purge
Purge all users from the group membership list.
If the /etc/gshadow file exist, and the group has no entry in the /etc/gshadow file, a new entry will be created.
-R, --root CHROOT_DIR
Apply changes in the CHROOT_DIR directory and use the configuration files from the CHROOT_DIR directory.
SETUP
The groupmems executable should be in mode 2770 as user root and in group groups. The system administrator can add users to group groups to
allow or disallow them using the groupmems utility to manage their own group membership list.
$ groupadd -r groups
$ chmod 2770 groupmems
$ chown root.groups groupmems
$ groupmems -g groups -a gk4
CONFIGURATION
The following configuration variables in /etc/login.defs change the behavior of this tool:
MAX_MEMBERS_PER_GROUP (number)
Maximum members per group entry. When the maximum is reached, a new group entry (line) is started in /etc/group (with the same name,
same password, and same GID).
The default value is 0, meaning that there are no limits in the number of members in a group.
This feature (split group) permits to limit the length of lines in the group file. This is useful to make sure that lines for NIS
groups are not larger than 1024 characters.
If you need to enforce such limit, you can use 25.
Note: split groups may not be supported by all tools (even in the Shadow toolsuite). You should not use this variable unless you really
need it.
FILES
/etc/group
Group account information.
/etc/gshadow
secure group account information
SEE ALSO
chfn(1), chsh(1), passwd(1), groupadd(8), groupdel(8), useradd(8), userdel(8), usermod(8).
shadow-utils 4.1.5.1 05/25/2012 GROUPMEMS(8)