[users@httpd] Filter by group attribute using mod authnz_ldap

[Mxrgus Pxrt <ma...@tione.eu>]

Hi,

Would it be possible to filter users not only by user attributes or 
groups but also by attributes of group using authnz_ldap?

Example:

Users:
 cn: First Last, ou: people, dc: lol
 cn: Second Last, ou: pople, dc: lol

Groups:
cn: lord, ou: group, dc: lol
  member: First Last
  attribute111: yes

Now, if attribute111 is yes, auth succeeds.


If not, what would be your recommendation, how to solve this task?


Br,
Margus

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Filter by group attribute using mod authnz_ldap

[Mxrgus Pxrt <ma...@tione.eu>]

Marc Patermann wrote:
> Hi,
>
> Mxrgus Pxrt schrieb:
>
>> Would it be possible to filter users not only by user attributes or 
>> groups but also by attributes of group using authnz_ldap?
>>
>> Example:
>>
>> Users:
>> cn: First Last, ou: people, dc: lol
>> cn: Second Last, ou: pople, dc: lol
>>
>> Groups:
>> cn: lord, ou: group, dc: lol
>>  member: First Last
>>  attribute111: yes
>>
>> Now, if attribute111 is yes, auth succeeds.
>>
>>
>> If not, what would be your recommendation, how to solve this task?
> Hm, if there was any group-filter setting ...
> But you have to _name_ the ldap-group anyone, don't you? So just name 
> LDAP groups here which have the attribute. :)
>
> If you use AuthLDAPBindDN for searching ldap by apache, you could 
> "hide" other groups than these with the attribute by ACL on the ldap 
> server.
>
>
>
> Marc

Both solutions what you offered are not good enough.

By defining groups one by one in ldap-group or messing around per group 
in ACL of ldap server I would not gain anything, I need filtering by 
group attribute.

As I understand best solutions would be:
a. http://code.google.com/p/mod-auth-external/ - create dynamic python 
program for example what would filter by using group attribute
b. patch current mod_authz_ldap

Variant A seems a bit less messy (future problems on updates etc with 
variant B). Can anyone of you recommend something better?









---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Filter by group attribute using mod authnz_ldap

[Marc Patermann <ha...@ofd-sth.niedersachsen.de>]

Hi,

Mxrgus Pxrt schrieb:

> Would it be possible to filter users not only by user attributes or 
> groups but also by attributes of group using authnz_ldap?
> 
> Example:
> 
> Users:
> cn: First Last, ou: people, dc: lol
> cn: Second Last, ou: pople, dc: lol
> 
> Groups:
> cn: lord, ou: group, dc: lol
>  member: First Last
>  attribute111: yes
> 
> Now, if attribute111 is yes, auth succeeds.
> 
> 
> If not, what would be your recommendation, how to solve this task?
Hm, if there was any group-filter setting ...
But you have to _name_ the ldap-group anyone, don't you? So just name 
LDAP groups here which have the attribute. :)

If you use AuthLDAPBindDN for searching ldap by apache, you could "hide" 
other groups than these with the attribute by ACL on the ldap server.



Marc

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org