httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jess Holle <>
Subject Re: Puzzling News
Date Tue, 01 Mar 2005 22:04:10 GMT
Wayne S. Frazee wrote:

> Jess Holle writes:
>> The use cases are:
>>   1. multiple organizations, each with their own LDAP wish to allow
>>      their personnel into a common site -- each has its own, separately
>>      administered LDAP
>>   2. a single organization has a read-only internal LDAP and a writable
>>      LDAP for external guests -- again for a common site
>> In both cases there are multiple LDAP directories which have no 
>> overlap, i.e. if the first LDAP does not contain the uid, then the 
>> second must be tried -- this is quite different then the multiple 
>> fail-over LDAP URLs allowed in auth_ldap and Apache 2.0's mod_auth_ldap.
> What it sounds like to me is that you are requesting a function that 
> would be able to handle LDAP authentication using multiple, separate 
> LDAP sources with distinct schemata.
> Essentially, if the user is not found in the mapped field of 
> primaryServer, then check the mapped user field of secondaryServer and 
> then tertiaryServer... in an environment where the mapped field may be 
> different for each of these servers.  E.g. searching uid on 
> primaryServer, username on secondaryServer, and SystemUser on 
> tertiaryServer?
> Am I understanding correctly?


> To my knowledge, no there is no such feature implemented on availible 
> apache 2-based ldap authentication projects.  You may want to suggest 
> it as a feature request to one or more of the more popular 
> ldap-related authentication projects.  Understand, though, the 
> overhead that such a system would probably imply on an authentication 
> request when the credential is not located in the first source.

Of course, I realize there would be extra overhead from each additional 
source.  On the other hand, with decent caching (e.g. the caching 
already in Apache 2) this overhead should not be felt frequently.

There have been enough instabilities and other issues in the LDAP 
modules to date, but I would think this is the first big *feature* to 
consider once these modules are fairly stable.

Jess Holle

View raw message