Apache: Implement blacklist/whitelist access control + LDAP authentication_问答_开发者

Apache: Implement blacklist/whitelist access control + LDAP authentication

开发者 https://www.devze.com 2023-02-02 19:46 出处：网络

In Apache, what would be the best way to only give access to users who pass the two following tests: User does not appear i开发者_如何学运维n blacklist (alternatively, appears in whitelist)

In Apache, what would be the best way to only give access to users who pass the two following tests:

User does not appear i开发者_如何学运维n blacklist (alternatively, appears in whitelist)
User has valid LDAP user account

I already have the second test in place but I now need to bar some of the valid LDAP users. Note that I cannot create an AD group to represent my black/white list.

I have managed to do that using

mod_auth_ldap to authenticate valid users
mod_authz_host to blacklist IP ranges

The config then looks something like:

    <Location /blacklisted >
        AuthType Basic
        AuthName "PAM"

        AuthBasicProvider ldap
        Require valid-user
        AuthLDAPURL ldap://ldap.example.com/?sAMAccountName?sub
        AuthzLDAPAuthoritative off
        AuthLDAPBindDN bindUser@example.com
        AuthLDAPBindPassword verySecurePasswd

        Order allow,deny
        Deny from 192.168.1
        Allow from all
    </Location>

However, I still don't know whether that would be feasible if I wanted to blacklist LDAP usernames instead of IP addresses. (Covener seems to suggest some complex config could do it but I haven't tried it).