12-11-2015
Getting apache to see a LDAP group membership change
trying to implement authz to a webpage using require ldap-group. It works, except I need to do apachectl restart before the server will observe an add or a delete to the group.
Seems like apache is acquiring the group membership at startup & caching it.
It's a static group.
I have apache 2.2 on AIX and TDS LDAP.
We want to automate group member adds/deletes, which implies that we need to automate refreshing the server's knowledge of the group. Possible solutions I've wondered about
:
- using dynamic groups (membership would be evaluated on every authz rather than the principal/user being compared against a cached list). This may be conceptually correct but is not an option given our schema.
- doing something fugly like require ldap-attribute is-member-yatta-blah. I should be able to use require ldap-group.
- driving a apachectl refresh out of the add/delete automation. I'd do it with ssh to a public-key-protected login on the servers running apache, as long as that doesn't make our security heads hurl.
- something in HTML that tells the server to refresh its cached image of group contents ?
ideas appreciated
10 More Discussions You Might Find Interesting
1. Solaris
On Solaris, a user is limited to being a member of a maximum of 16 groups. Could someone tell me where this limit comes from, i.e. is it NIS, or Solaris, or NFS that is imposing this limit?
What is the work-around to remove this limitation? (4 Replies)
Discussion started by: son_t
4 Replies
2. Red Hat
I can't seem to make sense of this.
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.2 Beta (Tikanga)
$
$ mount
/dev/sda2 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on... (6 Replies)
Discussion started by: dfinn
6 Replies
3. Emergency UNIX and Linux Support
Hi all
We have squid-2.5.STABLE11-3.FC4 running in our environment.
LDAP authentication works fine. Active Directory 2003 Users are prompted to enter credentials every time they access the net. The system works perfectly, but I need to configure Squid to block users in a specific AD group.... (1 Reply)
Discussion started by: wbdevilliers
1 Replies
4. SuSE
Hi,
I have configured ldap client on openSUSE 11.3 with yast2 config.
Since I am able to get list of all users through getent, it seems configuration done properly.But while logging in with ldap id its prompting for password change.
login as: testuser
Using keyboard-interactive... (1 Reply)
Discussion started by: tuxian
1 Replies
5. Solaris
I have a test environment which is running RedHat 6.5 Identity management. On the lab network are two Solaris 10 (U11) machines. I can successfully log into the S10 machines using the ldap username/passwords. However, I have a problem with groups and although I found through an internet search one... (3 Replies)
Discussion started by: cjhilinski
3 Replies
6. HP-UX
HI guys,
I've come to this great community with a problem that everything that I could find is related to a bug, in the ldap code in the apache but nothing else.
My problem happens after installing the Apache from HP software depo, it installs sucessfully and everything, but when I setup a... (0 Replies)
Discussion started by: feliper
0 Replies
7. UNIX and Linux Applications
I need to write LDAP group query where I need to find if a particular user is a member of a 2 specific Groups. This is LDAP Novell edirectory implementation.
Below are the details -
================
LDIF entry for OndotAPI group
dn: cn=OndotAPI,ou=Groups,o=CNS
changetype: add ... (0 Replies)
Discussion started by: jhamaks
0 Replies
8. UNIX for Advanced & Expert Users
Has anyone attempted to define GPO / HBAC policies in Windows Server 2012 that could be respected by Kerberos/LDAP on AIX?
I'm looking to associate servers to groups so that when a user part of a group tries to login to a host not associated with that group, it would be denied. This would allow... (3 Replies)
Discussion started by: Devyn
3 Replies
9. Web Development
Hi..
I have very limited knowledge on LDAP and its configuration and but I have been trying to figure out one issue that takes place when I am running the program that is written in php, but so far its unsuccessful.
The server, I am working on is ldap server, which is running on Apache. After... (1 Reply)
Discussion started by: GomathiUoM
1 Replies
10. Solaris
Hello all,
Solaris 11.
Branch: 0.175.3.35.0.6.0
Asking for some assistance in trying to understand how Apache24 works with svcadm.
I used:
svccfg -s network/http:apache24
listprop
setprop start/user=<rabbit>
setprop start/group=<pod>
This is also set in... (1 Reply)
Discussion started by: smiloo
1 Replies
LEARN ABOUT CENTOS
apachectl
APACHECTL(8) apachectl APACHECTL(8)
NAME
apachectl - Apache HTTP Server Control Interface
SYNOPSIS
When acting in pass-through mode, apachectl can take all the arguments available for the httpd binary.
apachectl [ httpd-argument ]
When acting in SysV init mode, apachectl takes simple, one-word commands, defined below.
apachectl command
SUMMARY
apachectl is a front end to the Apache HyperText Transfer Protocol (HTTP) server. It is designed to help the administrator control the
functioning of the Apache httpd daemon.
The apachectl script can operate in two modes. First, it can act as a simple front-end to the httpd command that simply sets any necessary
environment variables and then invokes httpd, passing through any command line arguments. Second, apachectl can act as a SysV init script,
taking simple one-word arguments like start, restart, and stop, and translating them into appropriate signals to httpd.
If your Apache installation uses non-standard paths, you will need to edit the apachectl script to set the appropriate paths to the httpd
binary. You can also specify any necessary httpd command line arguments. See the comments in the script for details.
The apachectl script returns a 0 exit value on success, and >0 if an error occurs. For more details, view the comments in the script.
OPTIONS
Only the SysV init-style options are defined here. Other arguments are defined on the httpd manual page.
start Start the Apache httpd daemon. Gives an error if it is already running. This is equivalent to apachectl -k start.
stop Stops the Apache httpd daemon. This is equivalent to apachectl -k stop.
restart
Restarts the Apache httpd daemon. If the daemon is not running, it is started. This command automatically checks the configuration
files as in configtest before initiating the restart to make sure the daemon doesn't die. This is equivalent to apachectl -k
restart.
fullstatus
Displays a full status report from mod_status. For this to work, you need to have mod_status enabled on your server and a text-based
browser such as lynx available on your system. The URL used to access the status report can be set by editing the STATUSURL variable
in the script.
status Displays a brief status report. Similar to the fullstatus option, except that the list of requests currently being served is omit-
ted.
graceful
Gracefully restarts the Apache httpd daemon. If the daemon is not running, it is started. This differs from a normal restart in that
currently open connections are not aborted. A side effect is that old log files will not be closed immediately. This means that if
used in a log rotation script, a substantial delay may be necessary to ensure that the old log files are closed before processing
them. This command automatically checks the configuration files as in configtest before initiating the restart to make sure Apache
doesn't die. This is equivalent to apachectl -k graceful.
graceful-stop
Gracefully stops the Apache httpd daemon. This differs from a normal stop in that currently open connections are not aborted. A side
effect is that old log files will not be closed immediately. This is equivalent to apachectl -k graceful-stop.
configtest
Run a configuration file syntax test. It parses the configuration files and either reports Syntax Ok or detailed information about
the particular syntax error. This is equivalent to apachectl -t.
The following option was available in earlier versions but has been removed.
startssl
To start httpd with SSL support, you should edit your configuration file to include the relevant directives and then use the normal
apachectl start.
Apache HTTP Server 2005-08-26 APACHECTL(8)