httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Duncan Brannen <>
Subject Re: mod_auth_ldap and mod_auth interaction
Date Thu, 02 Dec 2004 09:21:39 GMT

Thanks Brad,
         I'll switch it off & stop poking at the code.


At 21:53 01/12/2004, you wrote:
>   The short answer is that it is already fixed in Apache 2.1/2.2.
>Unfortunately you have hit on one of the limitations of the Apache 2.0
>authentication module structure.  The problem is that authorization
>types are replicated through multiple authentication modules.
>Fortunately this has all been taken care of in Apache 2.1/2.2.  For
>example, in the Apache 2.1/2.2 version of mod_authnz_ldap, the
>authorization types are no longer user, group, etc., they are ldap-user,
>ldap-group, etc.  You can also mix and match different types of
>authorization with authentication.  The quick fix for Apache 2.0 is to
>set "AuthAuthoritative off" so that if the mod_auth authorization fails,
>it will defer to mod_auth_ldap which will work.
> >>> Tuesday, November 30, 2004 5:35:29 AM >>>
>Sorry if this belongs in the users group, it's a query, but a query
>the working of the code.
>I've filed a bug (32426) but am trying to fix it myself.
>What I've found is that if user_is_dn is set (AuthLDAPRemoteUserIsDN in
>.htaccess file) then
>mod_auth_ldap sets r->user to be the users dn, not the user uid
>authenticated as.
>util_script.c uses this value to set REMOTE_USER (Good, all is well :)
>mod_auth.c users this value to check the require(d) user and of course
>fails as the list of users
>is a list of uid's
>mod_auth_ldap has it's own require ( user | group | valid-user)
>checks.  These are used for require group
>successfully but not require user.
>Is there a way to get information such as req->user or user_is_dn back
>mod_auth?  I'm guessing not
>easily & you don't really want to mess with mod_auth.  Or get mod_auth
>use mod_auth_ldaps'  auth_checker
>for require user as is does for require group which I think is the
>Hoping someone familiar with the code can save me some time.
>         Duncan

View raw message