You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by johanna bromberg craig <ca...@umich.edu> on 2006/07/20 05:27:54 UTC

PATCH #40075 - using ldap groups that contain DNs and usernames for AuthZ

I'm a web developer at the University of Michigan and one of the
authors of cosign ( http://weblogin.org ) which we use for (web)
authentication. As to authorization, we've been tweaking and tuning
mod_authz_ldap ( http://authzldap.othello.ch/ ) but we're really not
happy with the code base. We're currently still running Apache 1, but  
the
new mod_authnz_ldap has given us a very good reason to migrate to
Apache 2.2 this summer.

The only trouble is, we need to extend the functionality a bit.

We have identities at Michigan that don't have their own entries in
our LDAP directory, but they do appear in groups. This brings up a
few issues.

1) We'd like some way to say "if we can't find a DN
for this identity, that's OK."

2) Since some of our users are in the directory ( have a person
entry ) and some are not,  AuthLDAPGroupAttributeisDN is not rich
enough for us. Many of our groups contain both DNs and usernames.
We'd like to extend "AuthLDAPGroupAttribute" to say whether the
attribute in question is a DN or username, and thus be able to
authorize both DNs and usernames for the same resource.

I've proposed a patch to mod_authnz_ldap that adds:

a) A new directive - AuthzLDAPRequireDN On | Off. "On" is the  
behavior we're looking for in issue #1 above, Off is the current  
default behavior, and this defaults to Off.

b) A second argument to AuthLDAPGroupAttribute - a second argument,  
"dn", allows us the finer grain control we're looking for in issue #2  
above. If  the dn option is given, the attribute ( member, say ) must  
be a DN. If this type is not set, the global  
"AuthLDAPGroupAttributeisDN" is obeyed. ie it works as before.

Both of these changes are meant to be fully backward compatible with  
the behavior described in the existing documentation so no server  
admin should experience a surprise change upon an upgrade if this  
patch were accepted.

I expect this functionality to be useful to any site that splits  
their authN/authZ. In particular, any site that uses WebSSO ( Cosign,  
CAS, PubCookie, etc. )  for authN but LDAP for authZ.

Thanks.

-J

Re: PATCH #40075 - using ldap groups that contain DNs and usernames for AuthZ

Posted by Gregory Szorc <gr...@gmail.com>.

>
> b) A second argument to AuthLDAPGroupAttribute - a second argument,
> "dn", allows us the finer grain control we're looking for in issue #2
> above. If  the dn option is given, the attribute ( member, say ) must
> be a DN. If this type is not set, the global
> "AuthLDAPGroupAttributeisDN" is obeyed. ie it works as before.



If you are referring to dynamic group support, I started a patch to provide
this.  It resides at
http://issues.apache.org/bugzilla/show_bug.cgi?id=38515.  That should
give you a start.  I could use some help developing the
patch, though.

Gregory Szorc
gregory.szorc@gmail.com