views:

110

answers:

1

I would like to set up a primary directory that has one set of LDAP-based restrictions and then have various sub-directories use other restrictions, but only have the actual LDAP search done in the base directory. For example:

 .htaccess per directory
 /Primary_Directory
 AuthLDAPURL "ldap://ldap1.airius.com:389/ou=People, o=Airius?uid?sub?(objectClass=*)"
 Require group cn=admins

../Open2All
Require valid-user

../No_Admins_Allowed
Require group cn!=admins

So basically, the primary directory (in this example) can only be accessed by users who are in the admins group, while the first sub-directory can be accessed by anyone in the directory, and the second sub-folder can be reached by anyone who is NOT in the admin-group.

But I only want to set the Require line for the sub-directories, and not re-setup the LDAP query on each sub-directory.

Is this possible, even though there are clear permissions conflicts from level to level? Does the deepest .htaccess file know that the Require line refers to the LDAP search in the parent folder?

A: 

It turns out I was not distinguishing between Authentication and Authorization. I can have all users authenticate at the main directory using mod-auth-ldap, and then set up who can go where per directory using mod-authnz-ldap.

Anthony