httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jess Holle <>
Subject Re: Puzzling News
Date Tue, 01 Mar 2005 16:50:52 GMT
Graham Leggett wrote:

>Jess Holle said:
>>Also a module (for Apache 2, not 1.3) that could use multiple LDAP
>>repositories -- and not for failover, but for separate user communities
>>-- all for a single resource/directory would be *very* helpful.
>Can mod_authnz_ldap not do this?
If this capability was added in 2.1, that would be news to me.

It cannot do this in 2.0.x.

The use cases are:

   1. multiple organizations, each with their own LDAP wish to allow
      their personnel into a common site -- each has its own, separately
      administered LDAP
   2. a single organization has a read-only internal LDAP and a writable
      LDAP for external guests -- again for a common site

In both cases there are multiple LDAP directories which have no overlap, 
i.e. if the first LDAP does not contain the uid, then the second must be 
tried -- this is quite different then the multiple fail-over LDAP URLs 
allowed in auth_ldap and Apache 2.0's mod_auth_ldap.

>>Right now, you have to use arcane LDAP "standards" for
>>chaining/referral, replication, etc -- which don't hold up between
>>multiple organizations and LDAP vendors so well -- or use some expensive
>>add on.
>Can you explain some more?
As long as the uid's have to be combined under one LDAP URL you then 
have to tackle these use cases with LDAP technologies.  These are not 
well standardized across vendors and overall are a *lot* harder to work 
with than simply being able to specify a list of (non-overlapping, 
non-failover) LDAP URLs.

Jess Holle

View raw message