httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Mark H. Wood" <mw...@IUPUI.Edu>
Subject RE: [users@httpd] Auth Apache 2 agaisnt AD Groups
Date Thu, 25 May 2006 14:25:11 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

One bit of fun you'll have is that Windows users expect groups to nest,
but LDAP doesn't seem to do that.  That is, you can have a group G some of
whose members are groups G2, G3 etc. and an object which is only a member
of (say) group G2 will be considered a member of group G as well -- by
Windows, but not by LDAP.

I'm struggling with this now.  The only way to know whether a userID here
has a relationship with a particular campus X is to test its membership in
group cn=X-Campus.  But (for my campus) X-Campus contains only twenty
other groups X-Campus-N, and the 26,000 users on this campus are
distributed across those groups, for reasons known only to those who
define the groups.  I could do a big stack of Require rules, one per -N
group, but I'll never know when the central IT guys will decide to add
another one.  Short of some LDAP filter voodoo that does subqueries (whose
existence sounds unlikely) it looks like I'm going to have to build a
recursive membership test and then fit it onto Apache somehow (probably
using mod_auth_external).

- -- 
Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
Open-source executable:  $0.00.  Source:  $0.00  Control:  priceless!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/

iD8DBQFEdb5Os/NR4JuTKG8RAorYAJ9ZbI7vLl4ZjjW4q7GoUghTOkss6gCeMh1x
UXmZoCJEnXe9VkdLiGQbXeI=
=tnlq
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message