httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Fogle <r...@neosaint.org>
Subject Re: [users@httpd] mod_authnz_ldap and env vars?
Date Sun, 30 Sep 2007 17:48:07 GMT
James,

Thanks for the response, I quite agree this is something that I would  
logically expect to be included.  Would you mind posting your patch?   
Even if it doesn't get merged I'm sure I'm not the only one who needs  
to know this information.  It makes little sense to have all these  
tables contain usernames/passwords/group auth while we have a  
perfectly capable active directory infrastructure we can draw upon.   
Unfortunately, without the capability to see the groups the user logs  
in under we would have to resort to writing all this into the  
application, so we'd replace one type of code with another type of  
auth code instead of pushing it on the web server where (I believe)  
it belongs.

R

On Sep 28, 2007, at 8:19 PM, James Devenish wrote:

> Hi Richard,
>
> On 29/09/2007, Richard N. Fogle <rich@neosaint.org> wrote:
>> Is there a way to acquire the group via code, like a server
>> environment variable (e.g., like REMOTE_USER) of the group authorized
>> by a require ldap-group (or any group)?  This would be extremely
>
> I agree that it would be wonderful if something like "REMOTE_GROUP"
> existed (as long as it's clear how multiple-group membership is
> expressed). For administrators, I agree that the job is best done in
> Apache (plus its LDAP caching can be used). Personally, I have patched
> mod_auth_ldap.c as you suggested, so that the group matched by
> 'Require group' is added to the environment. This has been running
> quite well. And what a relief it's been!! It is not quite as useful as
> enumerating _all_ the groups that the principal belongs to, so any of
> our applications that need this are still required to do their own
> LDAP queries. Maybe this is not alwaysw so bad, since it means that
> Apache does not waste time enumerating everybody's entire group
> membership for every web hit! Overall, your request seems entirely
> possible, but I have not contributed a patch back to Apache yet.
>
> James.
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server  
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message