httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 42561] - [PATCH] AuthLDAPRemoteUserAttribute only applies in the authn stage
Date Fri, 07 Dec 2007 22:25:17 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42561>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=42561


Martin.vGagern@gmx.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |Martin.vGagern@gmx.net




------- Additional Comments From Martin.vGagern@gmx.net  2007-12-07 14:25 -------
I've developed this improvement independently, as I hit a real world example. We
have a distributed authentication system with kerberos for authentication and
ldap for authorization. So the user authenticates using GSSAPI or
username/password. mod_auth_kerb passes the kerberos principal as user name,
which includes the realm along with the real user name. Using the krb5Principal
attribute as the key to search ldap allows me to find the correct entry. For the
applications, however, we want the simple user name.

For my modifications I copied even more strongly from the authentication
function. You find "req->user = ..." in all these functions. After that the
authentication does the following things before logging its success:
1. handle sec->user_is_dn resp. AuthLDAPRemoteUserIsDN
2. set AUTHENTICATE_* environment variables
3. handle sec->remote_user_attribute resp. AuthLDAPRemoteUserAttribute
4. sanity check that the requested attribute is really available

I copied all these code fragments, as UserIsDN would be useful in an
authorization-only scenario as well, more information in the environment might
be useful to scripts (I replaced AUTHENTICATE with AUTHORIZE), and an error
message in case of a missing attribute might help diagnosing errors. All this I
copied after the "req->user = r->user" assignment at the end of the "if(!req)"
block for authorization.

I did my changes against the 2.2.x branch, where a single function handles
authorization. Current trunk has four such functions, and exactly duplicate
"if(!req)" blocks in each of these. That's a lot of code duplication; I didn't
want to contribute to this by copying the stuff described above and pasting it
four times. Instead I think this common code should be factored out, but I can't
do this just now.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message