httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Foddy <>
Subject [PATCH] [Fwd: Re: Nested Groups]
Date Tue, 05 Nov 2002 22:14:22 GMT
  To whom it may interest...

The following thread is a note to Dave Carrigan where I proposed the
attached patch to his auth_ldap module for nested group association,
like can be used in MS Active Directory.

I have not compared his code to what exists in Apache 2.x, but I understand
its similar and from the same original source tree.

I thought I would put this code out there, and if there is any interest
in using it, or using its ideas to incorporating into the Apache baseline,
please feel free.

Again, this is a patch against the auth_ldap 1.6.0 module, not the current
apache code.

I'm not a subscriber to the dev mailing list, so questions will need to
addressed directly to me.

Brian Foddy
Northwest Airlines

-------- Original Message --------
Subject: Re: Nested Groups
Date: Mon, 26 Aug 2002 16:50:06 -0500
From: Brian Foddy <>
To: Dave Carrigan <>
References: <> <1029336677.4953.7.camel@buffy>


I've finished my primary testing of these changes.  Attached is
a patch file for auth_ldap 1.6.0 to allow it to search through nested

I added 2 new config directives:
AuthLDAPGroupSearchBaseDN to allow for a seperate group search base dn,
if not defined the normal basedn is used.

AuthLDAPNestedGroupSearch is a boolean flag whether to perform
nested group searches.  default OFF.

I haven't yet started writing my inteneded application using these features
yet, so I may find additional bugs as I go along.  But in the concentrated
testing I've done so far it seems to work well.

Again, I've done very little testing with cache behavior, but I hope hooking
in where I have the cache should not change.  In our low volume hit 
caching is not a big issue anyway.

Please look over these changes and give me feedback, thoughts, etc.

Brian Foddy

Dave Carrigan wrote:

>On Tue, 2002-08-13 at 13:34, Brian Foddy wrote:
>>However, looking at auth_ldap I don't see any support for this 
>>(as you stated in your note). Has anything changed?
>At this point, there is no support for recursive groups. However, since
>it's at the top of the most requested features, I will probably be
>adding it in some future release (or accepting patches that do it, hint
>hint :-)
>Since I'm not doing any significant development on auth_ldap right now,
>I really can't predict a time frame for this.
>>where SOCusersA & B belong to SOCUsers as nested groups.  But
>>this doesn't look too easy to maintain either.  
>This is probably the only way to do it, but as you say, it's not easy to
>maintain. As more people start to use AD, the demand for recursive
>groups is going to get larger, so it will be making it into auth_ldap
>some time.
>Dave Carrigan

View raw message