httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sergey <>
Subject mod_auth_ldap extension for POSIX group support
Date Mon, 23 Dec 2002 20:26:39 GMT

It's my first post to the list which I'm reading regularly, so I hope I'll break as few rules
as possible.

I'm looking to extend mod_auth_ldap to check if the user is a member of the POSIX group (standard
procedure for PAM-LDAP, for 
instance). As opposed to regular LDAP groups where membership is stored in the attribute of
the _user_ object, POSIX group is a 
separate object of class `posixGroup' which has a _list_of_ members, in the series of `memberUid'
attributes. User objects have 
objectClass values `posixAccount' and `shadowAccount' in addition to structural class `person'
or `inetOrgPerson'.
My plan is to implement an authorization check in the form of "Require posixGroup <group>".
I can see that mod_auth_ldap in the 
"require" phase only checkes cached info, so I need to collect all groups in the authentication
phase. I think I need a separate 
query, roughly spelled as "(&(objectClass=posixGroup)(memberUid=<auth-user-uid>))",
where <auth-user-uid> is the `uid' attribute 
(or equivalent) of the authenticated user. Then, I need to store the list of POSIX groups
in the LDAP cache together with the 
user information in the `util_ldap_cache_checkuserid' function of `util_ldap.c' module, probably
using `posixGroup' as a 
"meta-attribute". What I mean is, each group name will be put into the cache as an attribute
value, but it will be a 
"calculated" attribute rather than a "real" one.
I still don't understand the code completely, but I hope to use `util_ldap_cache_compare'
in `util_ldap.c' as is, to see if a 
particular user has an attribute `posixGroup' with the value of the group given in "Require
posixGroup ...".

I wanted to ask for any feedback before I start this. Thank you!


View raw message