httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <>
Subject Re: [mod_auth_ldap] filter enhancement
Date Fri, 24 Mar 2006 15:29:23 GMT
>>> On 3/24/2006 at 2:56:01 am, in message
> Hi everybody,
> I would like to enhance this module to be able to match the username
> more than one attribut in an "OR" condition.
> Currently, this module uses the AuthLDAPURL:
> lter
> it constructs the filter like this:
> but I think it could be usefull (I need it now ;)) to have more than
> "attribute_containing_the_login".
> I see to way for doing this:
> Permit multiple attributes separated by comma in place of
> attribute_containing_the_login, as stated in RFC 2255.
> resulting filter wille be:
> Or
> Permit to not provide "attribute_containing_the_login" but replace
> occurence of for example "%u" in the additionnal_filter by the
> login.
> I'm okay to provide a patch, but I would like to know your opinion
> those 2 way.

Submit a patch and let's take a look at what you are proposing.  Keep
in mind that the LDAP URL that mod_authnz_ldap consumes, already allow
you to enter multiple comma delimited attributes as described by RFC
2255.  However mod_authnz_ldap only recognizes the first attribute as
the search attribute.  All of the other listed attributes including the
search attribute are used to extract the values as part of the request. 
Changing the format of the filter based on the attribute list in the
LDAP URL would change the searching behavior without the administrator
knowing that it happened.  This could be very bad because just upgrading
to a new version of mod_authnz_ldap and restarting Apache could
completely change the way authentication is working.  I would suggest
that you go with your second proposal.  That would provide the same type
of functionality but without the upgrade surprise.


View raw message