Re: mod_auth_ldap and mod_auth interaction

[Brad Nicholes <BN...@novell.com>]

  The short answer is that it is already fixed in Apache 2.1/2.2. 
Unfortunately you have hit on one of the limitations of the Apache 2.0
authentication module structure.  The problem is that authorization
types are replicated through multiple authentication modules. 
Fortunately this has all been taken care of in Apache 2.1/2.2.  For
example, in the Apache 2.1/2.2 version of mod_authnz_ldap, the
authorization types are no longer user, group, etc., they are ldap-user,
ldap-group, etc.  You can also mix and match different types of
authorization with authentication.  The quick fix for Apache 2.0 is to
set "AuthAuthoritative off" so that if the mod_auth authorization fails,
it will defer to mod_auth_ldap which will work.

Brad

>>> dbb@st-andrews.ac.uk Tuesday, November 30, 2004 5:35:29 AM >>>

Sorry if this belongs in the users group, it's a query, but a query
about 
the working of the code.

I've filed a bug (32426) but am trying to fix it myself.

What I've found is that if user_is_dn is set (AuthLDAPRemoteUserIsDN in
an 
.htaccess file) then
mod_auth_ldap sets r->user to be the users dn, not the user uid 
authenticated as.

util_script.c uses this value to set REMOTE_USER (Good, all is well :)
but..

mod_auth.c users this value to check the require(d) user and of course

fails as the list of users
is a list of uid's

mod_auth_ldap has it's own require ( user | group | valid-user) 
checks.  These are used for require group
successfully but not require user.

Is there a way to get information such as req->user or user_is_dn back
into 
mod_auth?  I'm guessing not
easily & you don't really want to mess with mod_auth.  Or get mod_auth
to 
use mod_auth_ldaps'  auth_checker
for require user as is does for require group which I think is the
correct 
solution.


Hoping someone familiar with the code can save me some time.


Cheers,
	Duncan