Bug 42891

Summary: Support for nested groups in LDAP
Product: Apache httpd-2 Reporter: Karol Kleibl <kleibl>
Component: mod_authz_ldapAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: RESOLVED FIXED    
Severity: enhancement CC: quel, rederpj
Priority: P2 Keywords: PatchAvailable
Version: 2.2.3   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Attachments: Patch to add nested group support to httpd-trunk

Description Karol Kleibl 2007-07-13 08:06:34 UTC 
It is currently impossible to authorize a user when he's member of a group
nested in the group defined in "require ldap-group". The nesting of groups makes
sense in scenarios when it is practical to reuse existing LDAP group definitions
and their extension (and/or joining).
The functionality can be implemented by recursively searching in nested groups
if the user isn't member of the group itself. This functionality can be made
optional because of the expensive nature of such recursion.
Comment 1 Tony Stevenson 2007-07-13 13:17:46 UTC 
does  '?sub'  not work in the LDAP AuthURL?
Comment 2 Karol Kleibl 2007-07-16 00:06:50 UTC 
(In reply to comment #1)
> does  '?sub'  not work in the LDAP AuthURL? 
> 
> No, it doesn't recurse the nested groups. My AuthLDAPUrl was
ldap://xxx/dc=yyy?sAMAccountName?sub?(objectClass=person).

thanx
k
Comment 3 Brad Nicholes 2007-07-16 07:21:24 UTC 
?sub only works for authentication when searching for objects that exist in 
sub-trees of the base DN.  Searching for group membership in nested groups, is 
an entirely different issue.
Comment 4 Paul J. Reder 2007-07-16 10:59:19 UTC 
As Brad pointed out, sub refers to the DN hierarchy. Nested group processing
requires an awareness of the "member" attributes contained within a group which
designate subgroups. Each of those subgroups then need to be queried to
determine their membership until the desired user is found. I have a patch I'll
be submitting that provides nested group support as soon as I finish forward
porting it to trunk.
Comment 5 Paul J. Reder 2007-07-25 09:27:33 UTC 
Created attachment 20549 [details]
Patch to add nested group support to httpd-trunk

This patch adds nested group support to Apache and adds directives to support
it.
Comment 6 Karol Kleibl 2007-09-27 02:48:10 UTC 
Thanx a lot.
Is there a plan (or chance) that this patch will be added to official trunk?
Comment 7 James Nobis 2008-06-13 08:36:35 UTC 
I would love to see this patch committed.
Comment 8 Paul J. Reder 2008-06-16 18:53:48 UTC 
Apparently I forgot to come back here and close this after it was committed. This feature has been in trunk since August of 2007.