Return-Path: 
 <dev-return-67810-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: (qmail 72559 invoked from network); 22 Feb 2010 16:46:56 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3)
  by minotaur.apache.org with SMTP; 22 Feb 2010 16:46:56 -0000
Received: (qmail 20143 invoked by uid 500); 22 Feb 2010 16:46:54 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 20068 invoked by uid 500); 22 Feb 2010 16:46:54 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 20059 invoked by uid 99); 22 Feb 2010 16:46:54 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 22 Feb 2010 16:46:54 +0000
X-ASF-Spam-Status: No, hits=-0.0 required=10.0
	tests=SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: local policy)
Received: from [209.211.171.230] (HELO mail01.HPTI.COM) (209.211.171.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 22 Feb 2010 16:46:47 +0000
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: [PATCH 48780] Input and improvements requested for suggested
 enhancement 48780
Date: Mon, 22 Feb 2010 11:46:26 -0500
Message-ID: <5045A4D718CAB644BA24979206486B6006525574@hptimail03.HPTI.COM>
In-Reply-To: <1266856492.88283.ezmlm@httpd.apache.org>
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
Thread-Topic: [PATCH 48780] Input and improvements requested for suggested
 enhancement 48780
Thread-Index: Acqz3PPYgC7minyTQYWj4LKQkAp3swAAHOgQ
References: <1266856492.88283.ezmlm@httpd.apache.org>
From: "Thomas, Peter" <pthomas@HPTI.com>
To: <dev@httpd.apache.org>

[ c.f. https://issues.apache.org/bugzilla/show_bug.cgi?id=3D48780 ]

Eric Covener has commented, and I replied, to my suggested enhancement
for mod_auth_ldap.  In this case, I am attempting to use LDAP for
authorization, accepting authentication from another provider--this
would most typically be mod_ssl, but I've seen other "in-family" cases
in Bugzilla's history where people are working to integrate SSO with
other authentication providers such as Kerberos [or more generally
GSSAPI].

The as-is implementation re-binds the LDAP connection using the user and
password provided to perform the compare phase.  The proposed patch adds
a [non-default] option to the LDAP provider that causes the compare
phase to occur without a user-specific re-binding.

In the comments, I contemplate various "sanity checks" to prevent--or at
the very least strongly caution against--inappropriate, insecure uses of
this option.

--Pete