Bug 51005

Summary: Allow to use username in LDAP filter
Product: Apache httpd-2 Reporter: Julien Danjou <julien>
Component: mod_authn_ldapAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: enhancement CC: julien
Priority: P2 Keywords: PatchAvailable
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: All   
OS: All   
Attachments: Patch implementing that

Description Julien Danjou 2011-04-01 05:29:58 UTC 
Currently, the filter given in AuthLDAPURL abuse the RFC by using the attribute to match the username provided. This does not allow more complex search filter.

The attached patch replaces %u in the filter string by the provided username, so one can check for more complicated things like:

  ldap://ldap.example.com/ou=users,o=easter-eggs??base?(mail=%u@example.com)

Please note that this patch does not modify the current behaviour and is backward compatible.

Something that can be enhanced is the use of 'attribute' in the filter based on its presence in the URL or not. Currently, the documentation says it's set to uid by default, which is a problem if you do no want to use the default filter. I though about ignoring attribute if it's not present, but that might break compatibility. I'm fine with my patch's approach, but if you think another one is better, just tell me, I'll rework the patch.
Comment 1 Julien Danjou 2011-04-01 05:31:17 UTC 
Created attachment 26822 [details]
Patch implementing that