httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "James Devenish" <>
Subject Re: [users@httpd] mod_authnz_ldap and env vars?
Date Sat, 29 Sep 2007 01:19:50 GMT
Hi Richard,

On 29/09/2007, Richard N. Fogle <> wrote:
> Is there a way to acquire the group via code, like a server
> environment variable (e.g., like REMOTE_USER) of the group authorized
> by a require ldap-group (or any group)?  This would be extremely

I agree that it would be wonderful if something like "REMOTE_GROUP"
existed (as long as it's clear how multiple-group membership is
expressed). For administrators, I agree that the job is best done in
Apache (plus its LDAP caching can be used). Personally, I have patched
mod_auth_ldap.c as you suggested, so that the group matched by
'Require group' is added to the environment. This has been running
quite well. And what a relief it's been!! It is not quite as useful as
enumerating _all_ the groups that the principal belongs to, so any of
our applications that need this are still required to do their own
LDAP queries. Maybe this is not alwaysw so bad, since it means that
Apache does not waste time enumerating everybody's entire group
membership for every web hit! Overall, your request seems entirely
possible, but I have not contributed a patch back to Apache yet.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message