httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Thomas, Peter" <>
Subject RE: [PATCH 48780] Input and improvements requested for suggested enhancement 48780
Date Mon, 22 Feb 2010 17:15:33 GMT
The beauty is that it doesn't change the authorization behavior, except to the extent that
the bind-as-user is bypassed if the option is set.  I only found one location that attempted
to validate the user's password, so I surmized that was the 2nd [compare] operation, and I
used the "get user DN" variant which--according to the mod_ldap documentation, verified by
my visual inspection--is a copy of "check user cert" without the user bind.


-----Original Message-----
From: Eric Covener [] 
Sent: Monday, February 22, 2010 12:08 PM
Subject: Re: [PATCH 48780] Input and improvements requested for suggested enhancement 48780

On Mon, Feb 22, 2010 at 11:46 AM, Thomas, Peter <> wrote:
> [ c.f. ]
> Eric Covener has commented, and I replied, to my suggested enhancement 
> for mod_auth_ldap.  In this case, I am attempting to use LDAP for 
> authorization, accepting authentication from another provider--this 
> would most typically be mod_ssl, but I've seen other "in-family" cases 
> in Bugzilla's history where people are working to integrate SSO with 
> other authentication providers such as Kerberos [or more generally 
> The as-is implementation re-binds the LDAP connection using the user 
> and password provided to perform the compare phase.  The proposed 
> patch adds a [non-default] option to the LDAP provider that causes the 
> compare phase to occur without a user-specific re-binding.

I haven't dug too deeply, but I didn't see how the attached patch changed the authorization-time
behavior.  Can you elaborate?

Eric Covener

View raw message