Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 41832 invoked from network); 1 Mar 2005 16:50:53 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 1 Mar 2005 16:50:53 -0000 Received: (qmail 18355 invoked by uid 500); 1 Mar 2005 16:50:45 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 18268 invoked by uid 500); 1 Mar 2005 16:50:44 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 18192 invoked by uid 99); 1 Mar 2005 16:50:44 -0000 X-ASF-Spam-Status: No, hits=0.5 required=10.0 tests=DNS_FROM_RFC_ABUSE,HTML_30_40,HTML_MESSAGE,HTML_TITLE_EMPTY X-Spam-Check-By: apache.org Received-SPF: pass (hermes.apache.org: local policy) Received: from relay2.ptc.com (HELO relay2.ptc.com) (12.11.148.122) by apache.org (qpsmtpd/0.28) with ESMTP; Tue, 01 Mar 2005 08:50:43 -0800 Received: from hq-exfe3.ptcnet.ptc.com (132.253.201.80) by relay2.ptc.com with ESMTP; 01 Mar 2005 11:51:42 -0500 X-IronPort-AV: i="3.90,127,1107752400"; d="scan'208,217"; a="11990303:sNHT26854294" Received: from [132.253.9.133] ([132.253.9.133]) by HQ-EXFE3.ptcnet.ptc.com with Microsoft SMTPSVC(5.0.2195.6713); Tue, 1 Mar 2005 11:50:52 -0500 Message-ID: <42249D6C.2060103@ptc.com> Date: Tue, 01 Mar 2005 10:50:52 -0600 From: Jess Holle User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206) X-Accept-Language: en-us, en MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: Puzzling News References: <6.2.1.2.2.20050228142137.07737eb0@pop3.rowe-clan.net><20050228210955.23366.qmail@mail.infinology.com><6.2.1.2.2.20050301000016.09d1cb70@pop3.rowe-clan.net><422413DA.50106@force-elite.com> <49679.67.138.149.162.1109684861.squirrel@67.138.149.162> <19396.196.8.104.37.1109686697.squirrel@www.sharp.fm> <42247D3D.2020909@ptc.com> <41839.196.8.104.37.1109688338.squirrel@www.sharp.fm> In-Reply-To: <41839.196.8.104.37.1109688338.squirrel@www.sharp.fm> Content-Type: multipart/alternative; boundary="------------010907010309040405070006" X-OriginalArrivalTime: 01 Mar 2005 16:50:52.0899 (UTC) FILETIME=[D473AB30:01C51E7E] X-Virus-Checked: Checked X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N This is a multi-part message in MIME format. --------------010907010309040405070006 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Graham Leggett wrote: >Jess Holle said: > > >>Also a module (for Apache 2, not 1.3) that could use multiple LDAP >>repositories -- and not for failover, but for separate user communities >>-- all for a single resource/directory would be *very* helpful. >> >> > >Can mod_authnz_ldap not do this? > > If this capability was added in 2.1, that would be news to me. It cannot do this in 2.0.x. The use cases are: 1. multiple organizations, each with their own LDAP wish to allow their personnel into a common site -- each has its own, separately administered LDAP 2. a single organization has a read-only internal LDAP and a writable LDAP for external guests -- again for a common site In both cases there are multiple LDAP directories which have no overlap, i.e. if the first LDAP does not contain the uid, then the second must be tried -- this is quite different then the multiple fail-over LDAP URLs allowed in auth_ldap and Apache 2.0's mod_auth_ldap. >>Right now, you have to use arcane LDAP "standards" for >>chaining/referral, replication, etc -- which don't hold up between >>multiple organizations and LDAP vendors so well -- or use some expensive >>add on. >> >> > >Can you explain some more? > > As long as the uid's have to be combined under one LDAP URL you then have to tackle these use cases with LDAP technologies. These are not well standardized across vendors and overall are a *lot* harder to work with than simply being able to specify a list of (non-overlapping, non-failover) LDAP URLs. -- Jess Holle --------------010907010309040405070006 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Graham Leggett wrote: 
Jess Holle said:
  
Also a module (for Apache 2, not 1.3) that could use multiple LDAP
repositories -- and not for failover, but for separate user communities
-- all for a single resource/directory would be *very* helpful.
    

Can mod_authnz_ldap not do this?
If this capability was added in 2.1, that would be news to me.

It cannot do this in 2.0.x.

The use cases are:
  1. multiple organizations, each with their own LDAP wish to allow their personnel into a common site -- each has its own, separately administered LDAP
  2. a single organization has a read-only internal LDAP and a writable LDAP for external guests -- again for a common site
In both cases there are multiple LDAP directories which have no overlap, i.e. if the first LDAP does not contain the uid, then the second must be tried -- this is quite different then the multiple fail-over LDAP URLs allowed in auth_ldap and Apache 2.0's mod_auth_ldap.
Right now, you have to use arcane LDAP "standards" for
chaining/referral, replication, etc -- which don't hold up between
multiple organizations and LDAP vendors so well -- or use some expensive
add on.
    

Can you explain some more?
As long as the uid's have to be combined under one LDAP URL you then have to tackle these use cases with LDAP technologies.  These are not well standardized across vendors and overall are a *lot* harder to work with than simply being able to specify a list of (non-overlapping, non-failover) LDAP URLs.

--
Jess Holle

--------------010907010309040405070006--