12-11-2015
Getting apache to see a LDAP group membership change
trying to implement authz to a webpage using require ldap-group. It works, except I need to do apachectl restart before the server will observe an add or a delete to the group.
Seems like apache is acquiring the group membership at startup & caching it.
It's a static group.
I have apache 2.2 on AIX and TDS LDAP.
We want to automate group member adds/deletes, which implies that we need to automate refreshing the server's knowledge of the group. Possible solutions I've wondered about
:
- using dynamic groups (membership would be evaluated on every authz rather than the principal/user being compared against a cached list). This may be conceptually correct but is not an option given our schema.
- doing something fugly like require ldap-attribute is-member-yatta-blah. I should be able to use require ldap-group.
- driving a apachectl refresh out of the add/delete automation. I'd do it with ssh to a public-key-protected login on the servers running apache, as long as that doesn't make our security heads hurl.
- something in HTML that tells the server to refresh its cached image of group contents ?
ideas appreciated
10 More Discussions You Might Find Interesting
1. Solaris
On Solaris, a user is limited to being a member of a maximum of 16 groups. Could someone tell me where this limit comes from, i.e. is it NIS, or Solaris, or NFS that is imposing this limit?
What is the work-around to remove this limitation? (4 Replies)
Discussion started by: son_t
4 Replies
2. Red Hat
I can't seem to make sense of this.
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.2 Beta (Tikanga)
$
$ mount
/dev/sda2 on / type ext3 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
/dev/sda1 on... (6 Replies)
Discussion started by: dfinn
6 Replies
3. Emergency UNIX and Linux Support
Hi all
We have squid-2.5.STABLE11-3.FC4 running in our environment.
LDAP authentication works fine. Active Directory 2003 Users are prompted to enter credentials every time they access the net. The system works perfectly, but I need to configure Squid to block users in a specific AD group.... (1 Reply)
Discussion started by: wbdevilliers
1 Replies
4. SuSE
Hi,
I have configured ldap client on openSUSE 11.3 with yast2 config.
Since I am able to get list of all users through getent, it seems configuration done properly.But while logging in with ldap id its prompting for password change.
login as: testuser
Using keyboard-interactive... (1 Reply)
Discussion started by: tuxian
1 Replies
5. Solaris
I have a test environment which is running RedHat 6.5 Identity management. On the lab network are two Solaris 10 (U11) machines. I can successfully log into the S10 machines using the ldap username/passwords. However, I have a problem with groups and although I found through an internet search one... (3 Replies)
Discussion started by: cjhilinski
3 Replies
6. HP-UX
HI guys,
I've come to this great community with a problem that everything that I could find is related to a bug, in the ldap code in the apache but nothing else.
My problem happens after installing the Apache from HP software depo, it installs sucessfully and everything, but when I setup a... (0 Replies)
Discussion started by: feliper
0 Replies
7. UNIX and Linux Applications
I need to write LDAP group query where I need to find if a particular user is a member of a 2 specific Groups. This is LDAP Novell edirectory implementation.
Below are the details -
================
LDIF entry for OndotAPI group
dn: cn=OndotAPI,ou=Groups,o=CNS
changetype: add ... (0 Replies)
Discussion started by: jhamaks
0 Replies
8. UNIX for Advanced & Expert Users
Has anyone attempted to define GPO / HBAC policies in Windows Server 2012 that could be respected by Kerberos/LDAP on AIX?
I'm looking to associate servers to groups so that when a user part of a group tries to login to a host not associated with that group, it would be denied. This would allow... (3 Replies)
Discussion started by: Devyn
3 Replies
9. Web Development
Hi..
I have very limited knowledge on LDAP and its configuration and but I have been trying to figure out one issue that takes place when I am running the program that is written in php, but so far its unsuccessful.
The server, I am working on is ldap server, which is running on Apache. After... (1 Reply)
Discussion started by: GomathiUoM
1 Replies
10. Solaris
Hello all,
Solaris 11.
Branch: 0.175.3.35.0.6.0
Asking for some assistance in trying to understand how Apache24 works with svcadm.
I used:
svccfg -s network/http:apache24
listprop
setprop start/user=<rabbit>
setprop start/group=<pod>
This is also set in... (1 Reply)
Discussion started by: smiloo
1 Replies
LEARN ABOUT CENTOS
net::ldap::extra::ad
Net::LDAP::Extra::AD(3) User Contributed Perl Documentation Net::LDAP::Extra::AD(3)
NAME
Net::LDAP::Extra::AD -- AD convenience methods
SYNOPSIS
use Net::LDAP::Extra qw(AD);
$ldap = Net::LDAP->new( ... );
...
if ($ldap->is_AD || $ldap->is_ADAM) {
$ldap->change_ADpassword($dn, $old_password, $new_password);
}
DESCRIPTION
Net::LDAP::Extra::AD tries to spare users the necessity to reinvent the wheel again and again in order to correctly encode password strings
so that they can be used in AD password change operations.
To do so, it provides the following methods:
METHODS
is_AD ( )
Tell if the LDAP server queried is an Active Directory Domain Controller.
As the check is done by querying the root DSE of the directory, it works without being bound to the directory.
is_ADAM ( )
Tell if the LDAP server queried is running AD LDS (Active Directory Lightweight Directory Services), previously known as ADAM (Active
Directoy Application Mode).
As the check is done by querying the root DSE of the directory, it works without being bound to the directory.
change_ADpassword ( DN, OLD_PASSWORD, NEW_PASSWORD )
Change the password of the account given by DN from its old value OLD_PASSWORD to the new value NEW_PASSWORD.
This method requires encrypted connections.
reset_ADpassword ( DN, NEW_PASSWORD, OPTIONS )
Reset the password of the account given by DN to the value given in NEW_PASSWORD. OPTIONS is a list of key/value pairs. The following
keys are recognized:
force_change
If TRUE, the affected user is required to change the password at next login.
For this method to work, the caller needs to be bound to AD with sufficient permissions, and the connection needs to be encrypted.
AUTHOR
Peter Marschall <peter@adpm.de<gt>
COPYRIGHT
Copyright (c) 2012 Peter Marschall. All rights reserved. This program is free software; you can redistribute it and/or modify it under the
same terms as Perl itself.
perl v5.16.3 2013-06-07 Net::LDAP::Extra::AD(3)