trying to implement authz to a webpage using require ldap-group. It works, except I need to do apachectl restart before the server will observe an add or a delete to the group.
Seems like apache is acquiring the group membership at startup & caching it.
It's a static group.
I have apache 2.2 on AIX and TDS LDAP.
We want to automate group member adds/deletes, which implies that we need to automate refreshing the server's knowledge of the group. Possible solutions I've wondered about:
- using dynamic groups (membership would be evaluated on every authz rather than the principal/user being compared against a cached list). This may be conceptually correct but is not an option given our schema.
- doing something fugly like require ldap-attribute is-member-yatta-blah. I should be able to use require ldap-group.
- driving a apachectl refresh out of the add/delete automation. I'd do it with ssh to a public-key-protected login on the servers running apache, as long as that doesn't make our security heads hurl.
- something in HTML that tells the server to refresh its cached image of group contents ?
ideas appreciated