httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ryan Morgan <rmor...@pobox.com>
Subject Re: Ldap Authorization
Date Wed, 27 Oct 2004 05:01:37 GMT

On Oct 26, 2004, at 6:10 PM, Graham Leggett wrote:

> Ryan Morgan wrote:
>
>> The mod_authnz_ldap documentation states that authorization schemes 
>> can be
>> setup using LDAP filters.  From looking at the source, that doesn't 
>> appear
>> to be the case.  (Authentication uses filters, but the authorization
>> phase does not)
>> I think that type of feature could be useful though.  I was thinking 
>> of adding
>> an additional directive 'require ldap-attribute name=value'.
>
> AFAIR the default attributes for "require group" can be overridden 
> from "member" and "uniqueMember" to anything you like. You are 
> restricted to comparing against the distinguished name of the user 
> though.
>
> If you have a patch, open an enhancement report inside Bugzilla and 
> upload it there so that it doesn't fall through the cracks. Extending 
> the support for filters in the authorisation phase is a definite win.
>

Yep, only being able to match against the user DN with 'require 
ldap-group' is
a bit restrictive.  I'll file an enhancement along with the patch.

Thanks Graham!
-Ryan


Mime
View raw message