Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Getting apache to see a LDAP group membership change
Top Forums Web Development Getting apache to see a LDAP group membership change Post 302962321 by maraixadm on Friday 11th of December 2015 06:31:02 PM
Old 12-11-2015
Getting apache to see a LDAP group membership change
trying to implement authz to a webpage using require ldap-group. It works, except I need to do apachectl restart before the server will observe an add or a delete to the group.

Seems like apache is acquiring the group membership at startup & caching it.

It's a static group.

I have apache 2.2 on AIX and TDS LDAP.

We want to automate group member adds/deletes, which implies that we need to automate refreshing the server's knowledge of the group. Possible solutions I've wondered about:
  • using dynamic groups (membership would be evaluated on every authz rather than the principal/user being compared against a cached list). This may be conceptually correct but is not an option given our schema.
  • doing something fugly like require ldap-attribute is-member-yatta-blah. I should be able to use require ldap-group.
  • driving a apachectl refresh out of the add/delete automation. I'd do it with ssh to a public-key-protected login on the servers running apache, as long as that doesn't make our security heads hurl.
  • something in HTML that tells the server to refresh its cached image of group contents ?

ideas appreciated
 

10 More Discussions You Might Find Interesting

1. Solaris

Group membership limit

On Solaris, a user is limited to being a member of a maximum of 16 groups. Could someone tell me where this limit comes from, i.e. is it NIS, or Solaris, or NFS that is imposing this limit? What is the work-around to remove this limitation? (4 Replies)
Discussion started by: son_t
4 Replies

2. Red Hat

Issues with LDAP user/group permissions on NFS share

I can't seem to make sense of this. $ cat /etc/redhat-release Red Hat Enterprise Linux Server release 5.2 Beta (Tikanga) $ $ mount /dev/sda2 on / type ext3 (rw) proc on /proc type proc (rw) sysfs on /sys type sysfs (rw) devpts on /dev/pts type devpts (rw,gid=5,mode=620) /dev/sda1 on... (6 Replies)
Discussion started by: dfinn
6 Replies

3. Emergency UNIX and Linux Support

Configure Squid to use LDAP group auth to deny internet access

Hi all We have squid-2.5.STABLE11-3.FC4 running in our environment. LDAP authentication works fine. Active Directory 2003 Users are prompted to enter credentials every time they access the net. The system works perfectly, but I need to configure Squid to block users in a specific AD group.... (1 Reply)
Discussion started by: wbdevilliers
1 Replies

4. SuSE

ldap client_forcible pwd change

Hi, I have configured ldap client on openSUSE 11.3 with yast2 config. Since I am able to get list of all users through getent, it seems configuration done properly.But while logging in with ldap id its prompting for password change. login as: testuser Using keyboard-interactive... (1 Reply)
Discussion started by: tuxian
1 Replies

5. Solaris

Solaris LDAP group problem

I have a test environment which is running RedHat 6.5 Identity management. On the lab network are two Solaris 10 (U11) machines. I can successfully log into the S10 machines using the ldap username/passwords. However, I have a problem with groups and although I found through an internet search one... (3 Replies)
Discussion started by: cjhilinski
3 Replies

6. HP-UX

HP Software depo Apache with LDAP issue

HI guys, I've come to this great community with a problem that everything that I could find is related to a bug, in the ldap code in the apache but nothing else. My problem happens after installing the Apache from HP software depo, it installs sucessfully and everything, but when I setup a... (0 Replies)
Discussion started by: feliper
0 Replies

7. UNIX and Linux Applications

LDAP Group query

I need to write LDAP group query where I need to find if a particular user is a member of a 2 specific Groups. This is LDAP Novell edirectory implementation. Below are the details - ================ LDIF entry for OndotAPI group dn: cn=OndotAPI,ou=Groups,o=CNS changetype: add ... (0 Replies)
Discussion started by: jhamaks
0 Replies

8. UNIX for Advanced & Expert Users

AD Group Policy Management and Kerberos / LDAP

Has anyone attempted to define GPO / HBAC policies in Windows Server 2012 that could be respected by Kerberos/LDAP on AIX? I'm looking to associate servers to groups so that when a user part of a group tries to login to a host not associated with that group, it would be denied. This would allow... (3 Replies)
Discussion started by: Devyn
3 Replies

9. Web Development

LDAP Connection Issue on Apache Web Server

Hi.. I have very limited knowledge on LDAP and its configuration and but I have been trying to figure out one issue that takes place when I am running the program that is written in php, but so far its unsuccessful. The server, I am working on is ldap server, which is running on Apache. After... (1 Reply)
Discussion started by: GomathiUoM
1 Replies

10. Solaris

Apache 2.4 User/Group option with svcadm

Hello all, Solaris 11. Branch: 0.175.3.35.0.6.0 Asking for some assistance in trying to understand how Apache24 works with svcadm. I used: svccfg -s network/http:apache24 listprop setprop start/user=<rabbit> setprop start/group=<pod> This is also set in... (1 Reply)
Discussion started by: smiloo
1 Replies

LEARN ABOUT CENTOS

apachectl

APACHECTL(8)							     apachectl							      APACHECTL(8)

NAME

       apachectl - Apache HTTP Server Control Interface

SYNOPSIS

       When acting in pass-through mode, apachectl can take all the arguments available for the httpd binary.

       apachectl [ httpd-argument ]

       When acting in SysV init mode, apachectl takes simple, one-word commands, defined below.

       apachectl command

SUMMARY

       apachectl  is  a  front	end  to the Apache HyperText Transfer Protocol (HTTP) server. It is designed to help the administrator control the
       functioning of the Apache httpd daemon.

       The apachectl script can operate in two modes. First, it can act as a simple front-end to the httpd command that simply sets any  necessary
       environment  variables and then invokes httpd, passing through any command line arguments. Second, apachectl can act as a SysV init script,
       taking simple one-word arguments like start, restart, and stop, and translating them into appropriate signals to httpd.

       If your Apache installation uses non-standard paths, you will need to edit the apachectl script to set the appropriate paths to	the  httpd
       binary. You can also specify any necessary httpd command line arguments. See the comments in the script for details.

       The apachectl script returns a 0 exit value on success, and >0 if an error occurs. For more details, view the comments in the script.

OPTIONS

       Only the SysV init-style options are defined here. Other arguments are defined on the httpd manual page.

       start  Start the Apache httpd daemon. Gives an error if it is already running. This is equivalent to apachectl -k start.

       stop   Stops the Apache httpd daemon. This is equivalent to apachectl -k stop.

       restart
	      Restarts	the  Apache httpd daemon. If the daemon is not running, it is started. This command automatically checks the configuration
	      files as in configtest before initiating the restart to make sure the daemon  doesn't  die.  This  is  equivalent  to  apachectl	-k
	      restart.

       fullstatus
	      Displays a full status report from mod_status. For this to work, you need to have mod_status enabled on your server and a text-based
	      browser such as lynx available on your system. The URL used to access the status report can be set by editing the STATUSURL variable
	      in the script.

       status Displays	a  brief status report. Similar to the fullstatus option, except that the list of requests currently being served is omit-
	      ted.

       graceful
	      Gracefully restarts the Apache httpd daemon. If the daemon is not running, it is started. This differs from a normal restart in that
	      currently  open  connections are not aborted. A side effect is that old log files will not be closed immediately. This means that if
	      used in a log rotation script, a substantial delay may be necessary to ensure that the old log files are	closed	before	processing
	      them.  This  command automatically checks the configuration files as in configtest before initiating the restart to make sure Apache
	      doesn't die. This is equivalent to apachectl -k graceful.

       graceful-stop
	      Gracefully stops the Apache httpd daemon. This differs from a normal stop in that currently open connections are not aborted. A side
	      effect is that old log files will not be closed immediately. This is equivalent to apachectl -k graceful-stop.

       configtest
	      Run  a  configuration file syntax test. It parses the configuration files and either reports Syntax Ok or detailed information about
	      the particular syntax error. This is equivalent to apachectl -t.

       The following option was available in earlier versions but has been removed.

       startssl
	      To start httpd with SSL support, you should edit your configuration file to include the relevant directives and then use the  normal
	      apachectl start.

Apache HTTP Server						    2005-08-26							      APACHECTL(8)
All times are GMT -4. The time now is 05:30 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy