12-11-2015
Getting apache to see a LDAP group membership change
trying to implement authz to a webpage using require ldap-group. It works, except I need to do apachectl restart before the server will observe an add or a delete to the group.
Seems like apache is acquiring the group membership at startup & caching it.
It's a static group.
I have apache 2.2 on AIX and TDS LDAP.
We want to automate group member adds/deletes, which implies that we need to automate refreshing the server's knowledge of the group. Possible solutions I've wondered about
:
- using dynamic groups (membership would be evaluated on every authz rather than the principal/user being compared against a cached list). This may be conceptually correct but is not an option given our schema.
- doing something fugly like require ldap-attribute is-member-yatta-blah. I should be able to use require ldap-group.
- driving a apachectl refresh out of the add/delete automation. I'd do it with ssh to a public-key-protected login on the servers running apache, as long as that doesn't make our security heads hurl.
- something in HTML that tells the server to refresh its cached image of group contents ?
ideas appreciated
10 More Discussions You Might Find Interesting
1. Solaris
On Solaris, a user is limited to being a member of a maximum of 16 groups. Could someone tell me where this limit comes from, i.e. is it NIS, or Solaris, or NFS that is imposing this limit?
What is the work-around to remove this limitation? (4 Replies)
Discussion started by: son_t
4 Replies
2. Red Hat
I can't seem to make sense of this.
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.2 Beta (Tikanga)
$
$ mount
/dev/sda2 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on... (6 Replies)
Discussion started by: dfinn
6 Replies
3. Emergency UNIX and Linux Support
Hi all
We have squid-2.5.STABLE11-3.FC4 running in our environment.
LDAP authentication works fine. Active Directory 2003 Users are prompted to enter credentials every time they access the net. The system works perfectly, but I need to configure Squid to block users in a specific AD group.... (1 Reply)
Discussion started by: wbdevilliers
1 Replies
4. SuSE
Hi,
I have configured ldap client on openSUSE 11.3 with yast2 config.
Since I am able to get list of all users through getent, it seems configuration done properly.But while logging in with ldap id its prompting for password change.
login as: testuser
Using keyboard-interactive... (1 Reply)
Discussion started by: tuxian
1 Replies
5. Solaris
I have a test environment which is running RedHat 6.5 Identity management. On the lab network are two Solaris 10 (U11) machines. I can successfully log into the S10 machines using the ldap username/passwords. However, I have a problem with groups and although I found through an internet search one... (3 Replies)
Discussion started by: cjhilinski
3 Replies
6. HP-UX
HI guys,
I've come to this great community with a problem that everything that I could find is related to a bug, in the ldap code in the apache but nothing else.
My problem happens after installing the Apache from HP software depo, it installs sucessfully and everything, but when I setup a... (0 Replies)
Discussion started by: feliper
0 Replies
7. UNIX and Linux Applications
I need to write LDAP group query where I need to find if a particular user is a member of a 2 specific Groups. This is LDAP Novell edirectory implementation.
Below are the details -
================
LDIF entry for OndotAPI group
dn: cn=OndotAPI,ou=Groups,o=CNS
changetype: add ... (0 Replies)
Discussion started by: jhamaks
0 Replies
8. UNIX for Advanced & Expert Users
Has anyone attempted to define GPO / HBAC policies in Windows Server 2012 that could be respected by Kerberos/LDAP on AIX?
I'm looking to associate servers to groups so that when a user part of a group tries to login to a host not associated with that group, it would be denied. This would allow... (3 Replies)
Discussion started by: Devyn
3 Replies
9. Web Development
Hi..
I have very limited knowledge on LDAP and its configuration and but I have been trying to figure out one issue that takes place when I am running the program that is written in php, but so far its unsuccessful.
The server, I am working on is ldap server, which is running on Apache. After... (1 Reply)
Discussion started by: GomathiUoM
1 Replies
10. Solaris
Hello all,
Solaris 11.
Branch: 0.175.3.35.0.6.0
Asking for some assistance in trying to understand how Apache24 works with svcadm.
I used:
svccfg -s network/http:apache24
listprop
setprop start/user=<rabbit>
setprop start/group=<pod>
This is also set in... (1 Reply)
Discussion started by: smiloo
1 Replies
group(4) File Formats group(4)
NAME
group - group file
DESCRIPTION
The group file is a local source of group information. The group file can be used in conjunction with other group sources, including the
NIS maps group.byname and group.bygid, the NIS+ table group, or group information stored on an LDAP server. Programs use the getgrnam(3C)
routines to access this information.
The group file contains a one-line entry for each group recognized by the system, of the form:
groupname:password: gid:user-list
where
groupname The name of the group.
gid The group's unique numerical ID (GID) within the system.
user-list A comma-separated list of users allowed in the group.
The maximum value of the gid field is 2147483647. To maximize interoperability and compatibility, administrators are recommended to assign
groups using the range of GIDs below 60000 where possible.
If the password field is empty, no password is demanded. During user identification and authentication, the supplementary group access list
is initialized sequentially from information in this file. If a user is in more groups than the system is configured for, {NGROUPS_MAX}, a
warning will be given and subsequent group specifications will be ignored.
Malformed entries cause routines that read this file to halt, in which case group assignments specified further along are never made. To
prevent this from happening, use grpck(1B) to check the /etc/group database from time to time.
Previous releases used a group entry beginning with a `+' (plus sign) or `-' (minus sign) to selectively incorporate entries from a naming
service source (for example, an NIS map or data from an LDAP server) for group. If still required, this is supported by specifying
group:compat in nsswitch.conf(4). The compat source may not be supported in future releases. Possible sources are files followed by ldap or
nisplus. This has the effect of incorporating information from an LDAP server or the entire contents of the NIS+ group table after the
group file.
EXAMPLES
Example 1: Sample of a group File.
Here is a sample group file:
root::0:root
stooges:q.mJzTnu8icF.:10:larry,moe,curly
and the sample group entry from nsswitch.conf:
group: files ldap
With these entries, the group stooges will have members larry, moe, and curly, and all groups listed on the LDAP server are effectively
incorporated after the entry for stooges.
If the group file was:
root::0:root
stooges:q.mJzTnu8icF.:10:larry,moe,curly
+:
and the group entry from nsswitch.conf:
group: compat
all the groups listed in the NIS group.bygid and group.byname maps would be effectively incorporated after the entry for stooges.
SEE ALSO
groups(1), grpck(1B), newgrp(1), getgrnam(3C), initgroups(3C), nsswitch.conf(4), unistd.h(3HEAD)
System Administration Guide: Basic Administration
SunOS 5.10 22 Jul 2004 group(4)