httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 40075] - unable to use ldap groups that contain DNs and usernames for AuthZ
Date Thu, 11 Jan 2007 16:03:06 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=40075>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=40075





------- Additional Comments From bnicholes@apache.org  2007-01-11 08:03 -------
Unless I am missing something, the AuthLDAPRequireDN functionality is being 
handled by AuthLDAPGroupAttributeIsDN.  If AuthLDAPGroupAttributeIsDN is set 
to ON (which is the default) then AuthnzLDAP will expect the user object to 
exist in the directory and for that user ID to be resolved to a full DN.  
Otherwise it will not be able to do a DN comparison which is what 
AuthLDAPGroupAttributeIsDN ON implies.  If AuthLDAPGroupAttributeIsDN is set 
to OFF, then the user ID that is passed in, does not have to be resolved to a 
full DN which means that the user object does not have to exist in the 
directory but will be resolved to a DN if it does exist.  The group membership 
comparison will then follow the DN or UN specifier.  If DN is specified then a 
full DN comparison will occur.  If UN is specified then a simple user id 
comparison will occur.  If neither is specified then the comparison follows 
the AuthLDAPGroupAttributeIsDN setting which would default to a UN 
comparison.  

What additional functionality is AuthzLDAPRequireDN performing than that?  
>From what I could see in the original patch, AuthzLDAPRequireDN simple 
determined whether a failed search for the user object forced the entire 
request to fail or was ignored.  AuthLDAPGroupAttributeIsDN is allowing for 
the same functionality.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message