如何支持“需要组foobar”在 mod_auth_cas 中
我正在使用 mod_auth_cas 来保护我的 tsdb 站点,示例如下。当我使用“需要有效用户”时,效果很好。但我只想允许某些人查看我的网站,所以我在 apache conf 中使用“require group foobar”,但我不知道如何使其工作。我尝试在 rubycas 服务器上添加额外的“组”属性,但它不起作用。
<VirtualHost *:80>
CASLoginURL https://cas.example.com/login
CASValidateURL https://cas.example.com/serviceValidate
CASValidateServer Off
CASDebug On
ServerName tsdb.example.com
ProxyPass / http://127.0.0.1:4242/
ProxyPassReverse / http://127.0.0.1:4242/
ProxyPreserveHost On
<Location />
AuthType CAS
require group foobar
# require valid-user
</Location>
</VirtualHost>
谢谢
I am using mod_auth_cas to protect my tsdb site, and the example as follows. when I use "require valid-user", it works well. but I want to only allow some people view my site, so I use "require group foobar" in the apache conf, but I don't know how to make it works. I have tried add extra "groups" attributes on my rubycas-server, but it not works.
<VirtualHost *:80>
CASLoginURL https://cas.example.com/login
CASValidateURL https://cas.example.com/serviceValidate
CASValidateServer Off
CASDebug On
ServerName tsdb.example.com
ProxyPass / http://127.0.0.1:4242/
ProxyPassReverse / http://127.0.0.1:4242/
ProxyPreserveHost On
<Location />
AuthType CAS
require group foobar
# require valid-user
</Location>
</VirtualHost>
thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
mod_auth_cas 的最新开发版本现在支持
可用于测试组成员身份(来源[1])。此属性和正则表达式的格式可能会因您的 CAS 服务器而异。如果您的组位于 LDAP 中,您还可以将 mod_auth_cas 与 mod_authnz_ldap 结合使用,CAS 提供身份验证,LDAP 提供授权,例如:
如果您想使用“Require ldap-group”,它将通过 mod_authnz_ldap 进行授权,与“需要用户”,这将使用 mod_auth_cas 进行授权,然后确保包含“AuthzLDAPAuthoritative off”(CASAuthoritative 已默认为 离开)。
[1] https://github.com/Jasig/mod_auth_cas (注意1.0.10版本还没有实际上还没有发布)
The latest development version of mod_auth_cas now supports
which can be used to test group membership (source [1]). The format of this attribute and regular expression may vary depending on your CAS server. If your groups are in LDAP, you can also combine mod_auth_cas with mod_authnz_ldap, with CAS providing authentication, and LDAP providing authorization, for example:
If you want to use "Require ldap-group", which will authorize via mod_authnz_ldap, in conjunction with "Require user", which will authorize using mod_auth_cas, then make sure to include "AuthzLDAPAuthoritative off" (CASAuthoritative already defaults to off).
[1] https://github.com/Jasig/mod_auth_cas (note that version 1.0.10 has not actually been released yet)
我认为 CAS 根本不涉及团体。它只处理身份验证,因此它只能告诉您您已登录 - 但它不进行授权。
I don't think CAS deals with groups at all. It only handles authentication, so it can only tell you that you're logged in - but it does not do authorization.