You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2011/06/05 01:06:04 UTC

DO NOT REPLY [Bug 51322] New: Prepend and append string to LDAP search parameter

https://issues.apache.org/bugzilla/show_bug.cgi?id=51322

             Bug #: 51322
           Summary: Prepend and append string to LDAP search parameter
           Product: Apache httpd-2
           Version: 2.2.17
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: mod_auth_ldap
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: hairlesshobo@stevecross.org
    Classification: Unclassified


While trying to setup my Apache web server for LDAP authentication against an
OpenLDAP database, I discovered that there is a lack of required syntax for my
needs. Most all LDAP-aware applications how some method of specifying
additional characters to be added before or after the search parameter. Take my
setup for instance (obviously replacing example.org with the real domain that I
am not going to specify here).

Since I am running multiple virtual email domains from one server, I needed a
method of separating the accounts for one domain from the others. I have the
users of my directory setup as such:

dn: ou=People,dc=example,dc=org
objectclass: top
objectclass: organizationalUnit
ou: People

dn: cn=example.org_johndoe,ou=People,dc=example,dc=org
cn: example.org_johndoe
objectclass: inetOrgPerson
objectclass: top
sn: doe

dn: cn=example.org_janedoe,ou=People,dc=example,dc=org
cn: example.org_janedoe
objectclass: inetOrgPerson
objectclass: top
sn: doe

When attempting to search by cn, which is the root DN, the user would have to
type in the full account name. This is a problem because whenever an account
name is setup the first portion of the name is not exposed to the end user
because it is expected that the application that is talking with the LDAP
database will know how to handle it automatically. With the way that the
mod_authnz_ldap is setup, there is a limitation that does not allow this to
work.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 51322] Prepend and append string to LDAP search parameter

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51322

--- Comment #2 from Steve Cross <ha...@stevecross.org> 2011-06-04 23:13:39 UTC ---
Created attachment 27112
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=27112
Patch to mod_authnz_ldap that allows a string to be appended and prepended to
the search parameter

Standard unified diff format.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 51322] Prepend and append string to LDAP search parameter

Posted by bu...@apache.org.

https://issues.apache.org/bugzilla/show_bug.cgi?id=51322

Steve Cross <ha...@stevecross.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |PatchAvailable

--- Comment #1 from Steve Cross <ha...@stevecross.org> 2011-06-04 23:12:30 UTC ---
I have created a patch that adds the following two options to the
mod_authnz_ldap configuration:

AuthLDAPAttrPrependString
AuthLDAPAttrAppendString

These two configuration parameters allow you to specify a string that must be
added before and after the LDAP value that is being searched for. Using the
example structure in the post above, if someone were to login with the username
"johndoe", then it would be searching the LDAP database for that exact cn. Now
configure the module with the following line:

AuthLDAPAttrPrependString "example.org_"

When configured this way and someone logs in with the username "johndoe", the
LDAP database is searched for "example.org_johndoe" instead. I have attached
the patch which was originally written for 2.2.16 but has been tested against
the latest stable 2.2.19 version.

Steve Cross

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org