Apache Group for allowed users

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Apache Group for allowed users

pfefferc
I was looking at: https://spaces.internet2.edu/display/SHIB2/NativeSPProtectContent

Is it possible to setup an apache group instead of listing all the names in the XML file?
Reply | Threaded
Open this post in threaded view
|

Re: Apache Group for allowed users

Peter Schober
* [hidden email] <[hidden email]> [2009-06-22 15:29]:
> I was looking at: https://spaces.internet2.edu/display/SHIB2/NativeSPProtectContent
>
> Is it possible to setup an apache group instead of listing all the
> names in the XML file?

In Apache httpd, using the Shib SP, you can certainly `require`
anything that you feed to the SP via SAML attributes.
And specifying `require group foo` with a groups file (as per the
httpd docs) is just a different way of saying
`require user alice bob mary john`.

The XML Access Control plugin is just an example, but it's handy
sometimes (when you want to combine several rules, but some of which
are to be AND'ed, while others are to be OR'ed).
-peter
Reply | Threaded
Open this post in threaded view
|

RE: Apache Group for allowed users

Cantor, Scott E.
In reply to this post by pfefferc
[hidden email] wrote on 2009-06-22:
> I was looking at:
> https://spaces.internet2.edu/display/SHIB2/NativeSPProtectContent
>
> Is it possible to setup an apache group instead of listing all the names
in
> the XML file?

That topic isn't accurate, it's long out of date. It's there because I
haven't had time to address the web server side of the documentation.

The documentation for the XML-based access control plugin is in the
https://spaces.internet2.edu/display/SHIB2/NativeSPXMLAccessControl topic.
It does not support groups, no.

The alternative on Apache is using htaccess support, which is built-in and
doesn't require any special configuration. Within htaccess, the SP supports
"require group" in the usual fashion that mod_auth_* does.

I'm not sure that in practice it makes much difference, since either method
is just a file with a list of names. Using attributes that represent groups
maintained externally is normally the more scalable model.

-- Scott