Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Getting apache to see a LDAP group membership change
Top Forums Web Development Getting apache to see a LDAP group membership change Post 302962321 by maraixadm on Friday 11th of December 2015 06:31:02 PM
Old 12-11-2015
Getting apache to see a LDAP group membership change
trying to implement authz to a webpage using require ldap-group. It works, except I need to do apachectl restart before the server will observe an add or a delete to the group.

Seems like apache is acquiring the group membership at startup & caching it.

It's a static group.

I have apache 2.2 on AIX and TDS LDAP.

We want to automate group member adds/deletes, which implies that we need to automate refreshing the server's knowledge of the group. Possible solutions I've wondered about:
  • using dynamic groups (membership would be evaluated on every authz rather than the principal/user being compared against a cached list). This may be conceptually correct but is not an option given our schema.
  • doing something fugly like require ldap-attribute is-member-yatta-blah. I should be able to use require ldap-group.
  • driving a apachectl refresh out of the add/delete automation. I'd do it with ssh to a public-key-protected login on the servers running apache, as long as that doesn't make our security heads hurl.
  • something in HTML that tells the server to refresh its cached image of group contents ?

ideas appreciated
 

10 More Discussions You Might Find Interesting

1. Solaris

Group membership limit

On Solaris, a user is limited to being a member of a maximum of 16 groups. Could someone tell me where this limit comes from, i.e. is it NIS, or Solaris, or NFS that is imposing this limit? What is the work-around to remove this limitation? (4 Replies)
Discussion started by: son_t
4 Replies

2. Red Hat

Issues with LDAP user/group permissions on NFS share

I can't seem to make sense of this. $ cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.2 Beta (Tikanga) $ $ mount /dev/sda2 on / type ext3 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/sda1 on... (6 Replies)
Discussion started by: dfinn
6 Replies

3. Emergency UNIX and Linux Support

Configure Squid to use LDAP group auth to deny internet access

Hi all We have squid-2.5.STABLE11-3.FC4 running in our environment. LDAP authentication works fine. Active Directory 2003 Users are prompted to enter credentials every time they access the net. The system works perfectly, but I need to configure Squid to block users in a specific AD group.... (1 Reply)
Discussion started by: wbdevilliers
1 Replies

4. SuSE

ldap client_forcible pwd change

Hi, I have configured ldap client on openSUSE 11.3 with yast2 config. Since I am able to get list of all users through getent, it seems configuration done properly.But while logging in with ldap id its prompting for password change. login as: testuser Using keyboard-interactive... (1 Reply)
Discussion started by: tuxian
1 Replies

5. Solaris

Solaris LDAP group problem

I have a test environment which is running RedHat 6.5 Identity management. On the lab network are two Solaris 10 (U11) machines. I can successfully log into the S10 machines using the ldap username/passwords. However, I have a problem with groups and although I found through an internet search one... (3 Replies)
Discussion started by: cjhilinski
3 Replies

6. HP-UX

HP Software depo Apache with LDAP issue

HI guys, I've come to this great community with a problem that everything that I could find is related to a bug, in the ldap code in the apache but nothing else. My problem happens after installing the Apache from HP software depo, it installs sucessfully and everything, but when I setup a... (0 Replies)
Discussion started by: feliper
0 Replies

7. UNIX and Linux Applications

LDAP Group query

I need to write LDAP group query where I need to find if a particular user is a member of a 2 specific Groups. This is LDAP Novell edirectory implementation. Below are the details - ================ LDIF entry for OndotAPI group dn: cn=OndotAPI,ou=Groups,o=CNS changetype: add ... (0 Replies)
Discussion started by: jhamaks
0 Replies

8. UNIX for Advanced & Expert Users

AD Group Policy Management and Kerberos / LDAP

Has anyone attempted to define GPO / HBAC policies in Windows Server 2012 that could be respected by Kerberos/LDAP on AIX? I'm looking to associate servers to groups so that when a user part of a group tries to login to a host not associated with that group, it would be denied. This would allow... (3 Replies)
Discussion started by: Devyn
3 Replies

9. Web Development

LDAP Connection Issue on Apache Web Server

Hi.. I have very limited knowledge on LDAP and its configuration and but I have been trying to figure out one issue that takes place when I am running the program that is written in php, but so far its unsuccessful. The server, I am working on is ldap server, which is running on Apache. After... (1 Reply)
Discussion started by: GomathiUoM
1 Replies

10. Solaris

Apache 2.4 User/Group option with svcadm

Hello all, Solaris 11. Branch: 0.175.3.35.0.6.0 Asking for some assistance in trying to understand how Apache24 works with svcadm. I used: svccfg -s network/http:apache24 listprop setprop start/user=<rabbit> setprop start/group=<pod> This is also set in... (1 Reply)
Discussion started by: smiloo
1 Replies

LEARN ABOUT SUNOS

group

group(4)							   File Formats 							  group(4)

NAME

       group - group file

DESCRIPTION

       The  group  file  is a local source of group information. The group file can be used in conjunction with other group sources, including the
       NIS maps group.byname and group.bygid, the NIS+ table group, or group information stored on an LDAP server. Programs use  the  getgrnam(3C)
       routines to access this information.

       The group file contains a one-line entry for each group recognized by the system, of the form:

	      groupname:password: gid:user-list

       where

       groupname       The name of the group.

       gid	       The group's unique numerical ID (GID) within the system.

       user-list       A comma-separated list of users allowed in the group.

       The  maximum value of the gid field is 2147483647. To maximize interoperability and compatibility, administrators are recommended to assign
       groups using the range of GIDs below 60000 where possible.

       If the password field is empty, no password is demanded. During user identification and authentication, the supplementary group access list
       is  initialized sequentially from information in this file. If a user is in more groups than the system is configured for, {NGROUPS_MAX}, a
       warning will be given and subsequent group specifications will be ignored.

       Malformed entries cause routines that read this file to halt, in which case group assignments specified further along are  never  made.	To
       prevent this from happening, use grpck(1B) to check the /etc/group database from time to time.

       Previous  releases used a group entry beginning with a `+' (plus sign) or `-' (minus sign) to selectively incorporate entries from a naming
       service source (for example, an NIS map or data from an LDAP server) for  group.  If  still  required,  this  is  supported  by	specifying
       group:compat in nsswitch.conf(4). The compat source may not be supported in future releases. Possible sources are files followed by ldap or
       nisplus. This has the effect of incorporating information from an LDAP server or the entire contents of the  NIS+  group  table	after  the
       group file.

EXAMPLES

       Example 1: Sample of a group File.

       Here is a sample group file:

       root::0:root
       stooges:q.mJzTnu8icF.:10:larry,moe,curly

       and the sample group entry from nsswitch.conf:

       group: files ldap

       With  these  entries,  the  group stooges will have members larry, moe, and curly, and all groups listed on the LDAP server are effectively
       incorporated after the entry for stooges.

       If the group file was:

       root::0:root
       stooges:q.mJzTnu8icF.:10:larry,moe,curly
       +:

       and the group entry from nsswitch.conf:

       group: compat

       all the groups listed in the NIS group.bygid and group.byname maps would be effectively incorporated after the entry for stooges.

SEE ALSO

       groups(1), grpck(1B), newgrp(1), getgrnam(3C), initgroups(3C), nsswitch.conf(4), unistd.h(3HEAD)

       System Administration Guide: Basic Administration

SunOS 5.10							    22 Jul 2004 							  group(4)
All times are GMT -4. The time now is 08:08 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy