It is possible to use a portion of the request URI as an input into mod_authnz_ldap's Require ldap-group directive?
I'm trying to dynamically check access to a bunch of different project directories, all under http://testserver.com/projects/, such that a user accessing /projects/abc would be checked for membership in cn=abc,ou=groups,dc=test. Ideally I'd like to do this without creating a separate Location directive for each project, since there could well be hundreds of them.
I have come up with this, which illustrates the general concept, but which doesn't work (project_name doesn't retrive the actual variable contents):
<Location /projects>
SetEnvIf Request_URI "/projects/([-a-z0-9A-Z_]+)/" project_name=$1
AuthType Basic
AuthBasicProvider ldap
AuthName "Restricted Resource - SVN (LDAP)"
AuthLDAPURL "ldap://127.0.0.1:389/dc=test?uid"
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid
Require ldap-group cn=%{project_name},ou=groups,dc=test
</Location>
Help?
In Apache 2.4.8 and later, this is now possible:
Note that the spaces in the
Requiredirective may be needed. See the mod_authnz_ldap documentation, especially example 5.Thanks to Buri for finding the answer to this old question in Apache2 ldap authorization with dynamic group name based on server name.
I believe Apache 2.4 has more to offer in this area than 2.2... might be worth looking at.
Alternatively, it may be worth looking at building your own custom module; it's not as scary as it seems -- assuming you are comfortable in C.
Similarly, doesn't mod_perl offer a lot in extending Apache via hooks?
You could try to add a filter to the AuthLDAPURL parameter : https://httpd.apache.org/docs/2.4/en/mod/mod_authnz_ldap.html#authldapurl
Maybe something like :