You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2006/02/05 04:38:45 UTC
DO NOT REPLY [Bug 38515] New: - Dynamic LDAP Group Support
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38515>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38515
Summary: Dynamic LDAP Group Support
Product: Apache httpd-2
Version: 2.3-HEAD
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: mod_auth_ldap
AssignedTo: bugs@httpd.apache.org
ReportedBy: gregory.szorc@case.edu
LDAP group records may have attributes "memberURL", which are LDAP URL's that
describe a search returning users in a group. It would be helpful if Apache
could recognize these results and follow the links to obtain if a user is a
member in a dynamic group.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 38515] - Dynamic LDAP Group Support
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38515>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38515
------- Additional Comments From bnicholes@apache.org 2006-04-18 18:53 -------
The direction that the patch is taking seems reasonable but there appears to
be some problems. First, just adding a call to
util_ldap_cache_comparedynamicgroup() in the ldap-group tag probably won't
work. ldap-group can take a number of groups and the patch doesn't seem to be
able to handle a set of mixed static and dynamic groups. You may need to have
some way of detecting wheither a particular group is static or dynamic and
then handle it from there. Also since util_ldap is suppose to be a set of
generic cross platform LDAP APIs, the function
util_ldap_cache_comparedynamicgroup() seems a little specialized considering
the scope of the other util_ldap APIs.
Obviously you will also have to fix the code in
util_ldap_cache_comparedynamicgroup()to respect the search attribute and scope
rather than hardcoding "uid" and "LDAP_SCOPE_SUBTREE". You will also need to
implement the caching somehow as well but that should be fairly similar to the
way that user/group caching already works. In fact you could probably just
use the same cache but with a different attribute as the the key rather
than "member" or "uniqueMember".
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 38515] - Dynamic LDAP Group Support
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38515>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38515
gregory.szorc@case.edu changed:
What |Removed |Added
----------------------------------------------------------------------------
Version|2.3-HEAD |2.2-HEAD
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 38515] - Dynamic LDAP Group Support
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38515>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38515
------- Additional Comments From gregory.szorc@case.edu 2006-02-06 03:55 -------
Created an attachment (id=17599)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=17599&action=view)
Initial patch without caching support against 2.2.x branch
A first version of a patch against 2.2.x branch. It has no cache support for
dynamic group lookup. It also defaults to using the "uid" username attribute
for group membership.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 38515] - Dynamic LDAP Group Support
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38515>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38515
v_sathyamurthy@hotmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
Severity|enhancement |critical
Priority|P2 |P1
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 38515] - Dynamic LDAP Group Support
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38515>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38515
gregory.szorc@case.edu changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |NEEDINFO
------- Additional Comments From gregory.szorc@case.edu 2007-03-18 20:10 -------
I'd really like to get something incorporated into the tree. However, I could
use some help formulating a proper solution.
I just sat down to create a new patch against the trunk. Here are my initial
thoughts for the direction of the patch.
* Need 2 new config directives
1) AuthLDAPEnableDynamicGroupLookups (defaults to off) - Determines whether
dynamic group lookup is enabled
2) AuthLDAPDynamicGroupAttribute (defaults to "MemberURL") - Determines which
attributes can contain dynamic group LDAP URIs
* Dynamic group lookup is added to ldapgroup_check_authorization in
mod_authnz_ldap.c. If enabled, we check dynamic group membership after regular
(static) group membership
Here is where it gets interesting. Checking for dynamic group membership
involves the following steps:
1) Look for attributes in a group record that correspond to dynamic group LDAP URI's
2) Parse each result and perform a LDAP search to see if the current user DN is
returned.
Now, I would love to incorporate this feature into uldap_cache_compare in
util_ldap.c, but I'm not sure if it will fit. I will have to add at least one
argument to this function whose value dictates whether to invoke the special
dereference-attribute-value-as-LDAP-URI-and-search functionality.
Realistically, I will have to add more arguments that control how the search is
performed (see the existing patch for what I mean). Is it acceptable to add all
of these extra arguments, or should I just create a new function that handles
dynamic group lookups explicitly (as is the behavior in the current patches)?
Any comments from the peanut gallery?
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 38515] - Dynamic LDAP Group Support
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38515>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38515
gregory.szorc@case.edu changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
------- Additional Comments From gregory.szorc@case.edu 2006-02-05 04:40 -------
I intend to provide a patch that accomplishes the necessary functionality. It
can then be fine-tuned by someone more adept with Apache module programming than I.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 38515] - Dynamic LDAP Group Support
Posted by bu...@apache.org.
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38515>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38515
------- Additional Comments From gregory.szorc@case.edu 2007-03-18 19:54 -------
Created an attachment (id=19734)
--> (http://issues.apache.org/bugzilla/attachment.cgi?id=19734&action=view)
Continuation of previous patch
The attachment is a patch I had against the 2.2.x branch. I'm not sure if it
works, but it was hanging around my home directory and figured I should put it
up here.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org