httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <BNICHO...@novell.com>
Subject Re: [mod_auth_ldap] filter enhancement
Date Fri, 24 Mar 2006 15:29:23 GMT
>>> On 3/24/2006 at 2:56:01 am, in message
<20060324095601.GF22892@easter-eggs.com>, elacour@easter-eggs.com
wrote:
> Hi everybody,
> 
> I would like to enhance this module to be able to match the username
in
> more than one attribut in an "OR" condition.
> 
> Currently, this module uses the AuthLDAPURL:
> 
> AuthLDAPURL
>
ldap://server/searchbase?attribute_containing_the_login?scope?additionnal_fi
> lter
> 
> it constructs the filter like this:
> 
>
(&(attribute_containing_the_login=provided_login)(additionnal_filter))
> 
> 
> but I think it could be usefull (I need it now ;)) to have more than
one
> "attribute_containing_the_login".
> 
> 
> I see to way for doing this:
> 
> Permit multiple attributes separated by comma in place of
> attribute_containing_the_login, as stated in RFC 2255.
> 
> resulting filter wille be:
> 
>
(&(|(attr1=provided_login)(attr2=provided_login)(...))(additionnal_filter))
> 
> 
> Or
> 
> Permit to not provide "attribute_containing_the_login" but replace
any
> occurence of for example "%u" in the additionnal_filter by the
provided
> login.
> 
> 
> I'm okay to provide a patch, but I would like to know your opinion
on
> those 2 way.


Submit a patch and let's take a look at what you are proposing.  Keep
in mind that the LDAP URL that mod_authnz_ldap consumes, already allow
you to enter multiple comma delimited attributes as described by RFC
2255.  However mod_authnz_ldap only recognizes the first attribute as
the search attribute.  All of the other listed attributes including the
search attribute are used to extract the values as part of the request. 
Changing the format of the filter based on the attribute list in the
LDAP URL would change the searching behavior without the administrator
knowing that it happened.  This could be very bad because just upgrading
to a new version of mod_authnz_ldap and restarting Apache could
completely change the way authentication is working.  I would suggest
that you go with your second proposal.  That would provide the same type
of functionality but without the upgrade surprise.

Brad

Mime
View raw message