You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2007/07/13 17:06:34 UTC

DO NOT REPLY [Bug 42891] New: - Support for nested groups in LDAP

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42891>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=42891

           Summary: Support for nested groups in LDAP
           Product: Apache httpd-2
           Version: 2.2.3
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: mod_authz_ldap
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: kleibl@centrum.sk


It is currently impossible to authorize a user when he's member of a group
nested in the group defined in "require ldap-group". The nesting of groups makes
sense in scenarios when it is practical to reuse existing LDAP group definitions
and their extension (and/or joining).
The functionality can be implemented by recursively searching in nested groups
if the user isn't member of the group itself. This functionality can be made
optional because of the expensive nature of such recursion.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 42891] - Support for nested groups in LDAP

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42891>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=42891


rederpj@remulak.net changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|bugs@httpd.apache.org       |rederpj@remulak.net
             Status|NEEDINFO                    |ASSIGNED




------- Additional Comments From rederpj@remulak.net  2007-07-25 09:27 -------
Created an attachment (id=20549)
 --> (http://issues.apache.org/bugzilla/attachment.cgi?id=20549&action=view)
Patch to add nested group support to httpd-trunk

This patch adds nested group support to Apache and adds directives to support
it.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 42891] - Support for nested groups in LDAP

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42891>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=42891


tony@pc-tony.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO




------- Additional Comments From tony@pc-tony.com  2007-07-13 13:17 -------
does  '?sub'  not work in the LDAP AuthURL? 



-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 42891] - Support for nested groups in LDAP

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42891>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=42891





------- Additional Comments From rederpj@remulak.net  2007-07-16 10:59 -------
As Brad pointed out, sub refers to the DN hierarchy. Nested group processing
requires an awareness of the "member" attributes contained within a group which
designate subgroups. Each of those subgroups then need to be queried to
determine their membership until the desired user is found. I have a patch I'll
be submitting that provides nested group support as soon as I finish forward
porting it to trunk.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 42891] - Support for nested groups in LDAP

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42891>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=42891





------- Additional Comments From kleibl@centrum.sk  2007-07-16 00:06 -------
(In reply to comment #1)
> does  '?sub'  not work in the LDAP AuthURL? 
> 
> No, it doesn't recurse the nested groups. My AuthLDAPUrl was
ldap://xxx/dc=yyy?sAMAccountName?sub?(objectClass=person).

thanx
k



-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 42891] - Support for nested groups in LDAP

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=42891>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=42891





------- Additional Comments From bnicholes@apache.org  2007-07-16 07:21 -------
?sub only works for authentication when searching for objects that exist in 
sub-trees of the base DN.  Searching for group membership in nested groups, is 
an entirely different issue.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org