httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thomas, Peter" <ptho...@HPTI.com>
Subject [PATCH 48780] Input and improvements requested for suggested enhancement 48780
Date Mon, 22 Feb 2010 16:46:26 GMT
[ c.f. https://issues.apache.org/bugzilla/show_bug.cgi?id=48780 ]

Eric Covener has commented, and I replied, to my suggested enhancement
for mod_auth_ldap.  In this case, I am attempting to use LDAP for
authorization, accepting authentication from another provider--this
would most typically be mod_ssl, but I've seen other "in-family" cases
in Bugzilla's history where people are working to integrate SSO with
other authentication providers such as Kerberos [or more generally
GSSAPI].

The as-is implementation re-binds the LDAP connection using the user and
password provided to perform the compare phase.  The proposed patch adds
a [non-default] option to the LDAP provider that causes the compare
phase to occur without a user-specific re-binding.

In the comments, I contemplate various "sanity checks" to prevent--or at
the very least strongly caution against--inappropriate, insecure uses of
this option.

--Pete

Mime
View raw message