Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Getting apache to see a LDAP group membership change
Top Forums Web Development Getting apache to see a LDAP group membership change Post 302962321 by maraixadm on Friday 11th of December 2015 06:31:02 PM
Old 12-11-2015
Getting apache to see a LDAP group membership change
trying to implement authz to a webpage using require ldap-group. It works, except I need to do apachectl restart before the server will observe an add or a delete to the group.

Seems like apache is acquiring the group membership at startup & caching it.

It's a static group.

I have apache 2.2 on AIX and TDS LDAP.

We want to automate group member adds/deletes, which implies that we need to automate refreshing the server's knowledge of the group. Possible solutions I've wondered about:
  • using dynamic groups (membership would be evaluated on every authz rather than the principal/user being compared against a cached list). This may be conceptually correct but is not an option given our schema.
  • doing something fugly like require ldap-attribute is-member-yatta-blah. I should be able to use require ldap-group.
  • driving a apachectl refresh out of the add/delete automation. I'd do it with ssh to a public-key-protected login on the servers running apache, as long as that doesn't make our security heads hurl.
  • something in HTML that tells the server to refresh its cached image of group contents ?

ideas appreciated
 

10 More Discussions You Might Find Interesting

1. Solaris

Group membership limit

On Solaris, a user is limited to being a member of a maximum of 16 groups. Could someone tell me where this limit comes from, i.e. is it NIS, or Solaris, or NFS that is imposing this limit? What is the work-around to remove this limitation? (4 Replies)
Discussion started by: son_t
4 Replies

2. Red Hat

Issues with LDAP user/group permissions on NFS share

I can't seem to make sense of this. $ cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.2 Beta (Tikanga) $ $ mount /dev/sda2 on / type ext3 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/sda1 on... (6 Replies)
Discussion started by: dfinn
6 Replies

3. Emergency UNIX and Linux Support

Configure Squid to use LDAP group auth to deny internet access

Hi all We have squid-2.5.STABLE11-3.FC4 running in our environment. LDAP authentication works fine. Active Directory 2003 Users are prompted to enter credentials every time they access the net. The system works perfectly, but I need to configure Squid to block users in a specific AD group.... (1 Reply)
Discussion started by: wbdevilliers
1 Replies

4. SuSE

ldap client_forcible pwd change

Hi, I have configured ldap client on openSUSE 11.3 with yast2 config. Since I am able to get list of all users through getent, it seems configuration done properly.But while logging in with ldap id its prompting for password change. login as: testuser Using keyboard-interactive... (1 Reply)
Discussion started by: tuxian
1 Replies

5. Solaris

Solaris LDAP group problem

I have a test environment which is running RedHat 6.5 Identity management. On the lab network are two Solaris 10 (U11) machines. I can successfully log into the S10 machines using the ldap username/passwords. However, I have a problem with groups and although I found through an internet search one... (3 Replies)
Discussion started by: cjhilinski
3 Replies

6. HP-UX

HP Software depo Apache with LDAP issue

HI guys, I've come to this great community with a problem that everything that I could find is related to a bug, in the ldap code in the apache but nothing else. My problem happens after installing the Apache from HP software depo, it installs sucessfully and everything, but when I setup a... (0 Replies)
Discussion started by: feliper
0 Replies

7. UNIX and Linux Applications

LDAP Group query

I need to write LDAP group query where I need to find if a particular user is a member of a 2 specific Groups. This is LDAP Novell edirectory implementation. Below are the details - ================ LDIF entry for OndotAPI group dn: cn=OndotAPI,ou=Groups,o=CNS changetype: add ... (0 Replies)
Discussion started by: jhamaks
0 Replies

8. UNIX for Advanced & Expert Users

AD Group Policy Management and Kerberos / LDAP

Has anyone attempted to define GPO / HBAC policies in Windows Server 2012 that could be respected by Kerberos/LDAP on AIX? I'm looking to associate servers to groups so that when a user part of a group tries to login to a host not associated with that group, it would be denied. This would allow... (3 Replies)
Discussion started by: Devyn
3 Replies

9. Web Development

LDAP Connection Issue on Apache Web Server

Hi.. I have very limited knowledge on LDAP and its configuration and but I have been trying to figure out one issue that takes place when I am running the program that is written in php, but so far its unsuccessful. The server, I am working on is ldap server, which is running on Apache. After... (1 Reply)
Discussion started by: GomathiUoM
1 Replies

10. Solaris

Apache 2.4 User/Group option with svcadm

Hello all, Solaris 11. Branch: 0.175.3.35.0.6.0 Asking for some assistance in trying to understand how Apache24 works with svcadm. I used: svccfg -s network/http:apache24 listprop setprop start/user=<rabbit> setprop start/group=<pod> This is also set in... (1 Reply)
Discussion started by: smiloo
1 Replies

LEARN ABOUT CENTOS

groupmems

GROUPMEMS(8)						    System Management Commands						      GROUPMEMS(8)

NAME

       groupmems - administer members of a user's primary group

SYNOPSIS

       groupmems -a user_name | -d user_name | [-g group_name] | -l | -p

DESCRIPTION

       The groupmems command allows a user to administer his/her own group membership list without the requirement of superuser privileges. The
       groupmems utility is for systems that configure its users to be in their own name sake primary group (i.e., guest / guest).

       Only the superuser, as administrator, can use groupmems to alter the memberships of other groups.

OPTIONS

       The options which apply to the groupmems command are:

       -a, --add user_name
	   Add an user to the group membership list.

	   If the /etc/gshadow file exist, and the group has no entry in the /etc/gshadow file, a new entry will be created.

       -d, --delete user_name
	   Delete a user from the group membership list.

	   If the /etc/gshadow file exist, the user will be removed from the list of members and administrators of the group.

	   If the /etc/gshadow file exist, and the group has no entry in the /etc/gshadow file, a new entry will be created.

       -g, --group group_name
	   The superuser can specify which group membership list to modify.

       -h, --help
	   Display help message and exit.

       -l, --list
	   List the group membership list.

       -p, --purge
	   Purge all users from the group membership list.

	   If the /etc/gshadow file exist, and the group has no entry in the /etc/gshadow file, a new entry will be created.

       -R, --root CHROOT_DIR
	   Apply changes in the CHROOT_DIR directory and use the configuration files from the CHROOT_DIR directory.

SETUP

       The groupmems executable should be in mode 2770 as user root and in group groups. The system administrator can add users to group groups to
       allow or disallow them using the groupmems utility to manage their own group membership list.

		$ groupadd -r groups
		$ chmod 2770 groupmems
		$ chown root.groups groupmems
		$ groupmems -g groups -a gk4

CONFIGURATION

       The following configuration variables in /etc/login.defs change the behavior of this tool:

       MAX_MEMBERS_PER_GROUP (number)
	   Maximum members per group entry. When the maximum is reached, a new group entry (line) is started in /etc/group (with the same name,
	   same password, and same GID).

	   The default value is 0, meaning that there are no limits in the number of members in a group.

	   This feature (split group) permits to limit the length of lines in the group file. This is useful to make sure that lines for NIS
	   groups are not larger than 1024 characters.

	   If you need to enforce such limit, you can use 25.

	   Note: split groups may not be supported by all tools (even in the Shadow toolsuite). You should not use this variable unless you really
	   need it.

FILES

       /etc/group
	   Group account information.

       /etc/gshadow
	   secure group account information

SEE ALSO

       chfn(1), chsh(1), passwd(1), groupadd(8), groupdel(8), useradd(8), userdel(8), usermod(8).

shadow-utils 4.1.5.1						    05/25/2012							      GROUPMEMS(8)
All times are GMT -4. The time now is 10:54 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy