httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brad Nicholes" <>
Subject Re: PATCH #40075 - using ldap groups that contain DNs and usernames for AuthZ
Date Sat, 30 Dec 2006 04:11:52 GMT
>>> On Mon, Dec 4, 2006 at  1:00 PM, in message
<015367BE-3961-4637-95FC-E9D69BEFF5DC@UMICH.EDU>, Johanna Bromberg Craig
> Hi,
> I've addressed the feedback I received on my patch from Brad Nicholes  
> as follows:
> I've reviewed all instances of util_ldap_compare() and  
> util_ldap_cache_comparedn() to confirm that each is protected from  
> cases where req- >dn might be NULL or '\0'.
> I've addressed the differences between AuthLDAPGroupAttributeDN,  
> AuthLDAPGroupAttribute, and AuthzLDAPRequireDN.
> Thanks,
> Johanna

I finally got some time to take a closer look at the patch.  Although I like the concept,
I am still uncomfortable with the implementation from a configuration point of view.  I have
attached a patch which is actually closer to your first patch except it maintains the original
functionality while enhancing  the AuthLDAPGroupAttribute directive to support attributes
that may contain a full DN.  Actually, I think that was the original intent of AuthLDAPGroupAttributeIsDN
but it appears to have been broken along the way.  Anyway the proposed new syntax for AuthLDAPGroupAttribute

AuthLDAPGroupAttribute attribute [DN | UN] ...

where the keywords "DN" (Distinguished Name) and "UN" (User Name) can optionally follow each
attribute in the list.  If neither of the keywords are specified, then the attribute type
follows the AuthLDAPGroupAttributeIsDN setting.  The AuthLDAPGroupAttributeIsDN setting determines
if a DN is required in the group comparison or not.  If the AuthLDAPGroupAttribute list contains
any UN's, then AuthLDAPGroupAttributeIsDN must be set to OFF otherwise the authorization will
fail since it would be expecting to be able to resolve the user object to a DN within the
LDAP directory.

Let me know if this works for you,

BTW, this patch is against trunk rather than the 2.2.x branch.


View raw message