Summary: | Support for nested groups in LDAP | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | Karol Kleibl <kleibl> |
Component: | mod_authz_ldap | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | CC: | quel, rederpj |
Priority: | P2 | Keywords: | PatchAvailable |
Version: | 2.2.3 | ||
Target Milestone: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Attachments: | Patch to add nested group support to httpd-trunk |
Description
Karol Kleibl
2007-07-13 08:06:34 UTC
does '?sub' not work in the LDAP AuthURL? (In reply to comment #1) > does '?sub' not work in the LDAP AuthURL? > > No, it doesn't recurse the nested groups. My AuthLDAPUrl was ldap://xxx/dc=yyy?sAMAccountName?sub?(objectClass=person). thanx k ?sub only works for authentication when searching for objects that exist in sub-trees of the base DN. Searching for group membership in nested groups, is an entirely different issue. As Brad pointed out, sub refers to the DN hierarchy. Nested group processing requires an awareness of the "member" attributes contained within a group which designate subgroups. Each of those subgroups then need to be queried to determine their membership until the desired user is found. I have a patch I'll be submitting that provides nested group support as soon as I finish forward porting it to trunk. Created attachment 20549 [details]
Patch to add nested group support to httpd-trunk
This patch adds nested group support to Apache and adds directives to support
it.
Thanx a lot. Is there a plan (or chance) that this patch will be added to official trunk? I would love to see this patch committed. Apparently I forgot to come back here and close this after it was committed. This feature has been in trunk since August of 2007. |