Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 13334 invoked from network); 3 Nov 2004 16:16:05 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 3 Nov 2004 16:16:05 -0000 Received: (qmail 74237 invoked by uid 500); 3 Nov 2004 16:15:57 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 74113 invoked by uid 500); 3 Nov 2004 16:15:56 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 74099 invoked by uid 99); 3 Nov 2004 16:15:55 -0000 X-ASF-Spam-Status: No, hits=0.1 required=10.0 tests=DNS_FROM_RFC_ABUSE X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: local policy) Received: from [137.65.81.169] (HELO sinclair.provo.novell.com) (137.65.81.169) by apache.org (qpsmtpd/0.28) with ESMTP; Wed, 03 Nov 2004 08:15:54 -0800 Received: from INET-PRV-MTA by sinclair.provo.novell.com with Novell_GroupWise; Wed, 03 Nov 2004 09:15:52 -0700 Message-Id: X-Mailer: Novell GroupWise Internet Agent 6.5.3 Beta Date: Wed, 03 Nov 2004 09:15:40 -0700 From: "Brad Nicholes" To: Cc: Subject: Re: [PATCH]: LDAP Authz (was: Ldap Authorization) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N I like the suggestion as well because I think that would be the right way to implement complex LDAP expressions. But it would probably take adding at least a new util_ldap_filter_search() API to Util_ldap() in order to accomodate this functionality. The advantage of also having an ldap-attribute directive is because if simplicity as well as performance. According to the LDAP docs, doing an ldap_compare_s() is faster than an ldap_search_s(). I will go ahead an commit the patch as-is and also propose a backport for it. But I think that we should look at adding a "require ldap-filter" directive as well for Apache 2.1/2.2. Brad >>> jim@jaguNET.com Wednesday, November 03, 2004 8:09:35 AM >>> Good suggestion. I am +1 for the patch as-is with the intent of looking into adding the below On Nov 3, 2004, at 5:04 AM, Graham Leggett wrote: > Brad Nicholes wrote: > >> I took a quick look at this patch and it seems to work well as long >> as all of the listed attributes are OR'ed together. I don't have a >> good >> suggestion yet, but is there a way to implement the logic so that >> attributes could be also AND'ed together? Or even a NOT-EQUAL >> operation? > > I think the best way to do this probably is instead of saying "require > ldap-attribute" you say "require LDAP filter". > > In other words, like this: > > require filter (objectclass=specialPerson) > > or > > require filter (host=somehost.com) > > This supports more complicated stuff, like this: > > require filter (&(objectclass=specialPerson)(host=somehost.com)) > > Regards, > Graham > -- > -- ======================================================================= Jim Jagielski [|] jim@jaguNET.com [|] http://www.jaguNET.com/ "There 10 types of people: those who read binary and everyone else."