Bug 51005 - Allow to use username in LDAP filter
Summary: Allow to use username in LDAP filter
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_authn_ldap (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 enhancement with 4 votes (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords: PatchAvailable
Depends on:
Blocks:
 
Reported: 2011-04-01 05:29 UTC by Julien Danjou
Modified: 2012-11-15 16:16 UTC (History)
1 user (show)



Attachments
Patch implementing that (4.85 KB, patch)
2011-04-01 05:31 UTC, Julien Danjou
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Julien Danjou 2011-04-01 05:29:58 UTC
Currently, the filter given in AuthLDAPURL abuse the RFC by using the attribute to match the username provided. This does not allow more complex search filter.

The attached patch replaces %u in the filter string by the provided username, so one can check for more complicated things like:

  ldap://ldap.example.com/ou=users,o=easter-eggs??base?(mail=%u@example.com)

Please note that this patch does not modify the current behaviour and is backward compatible.

Something that can be enhanced is the use of 'attribute' in the filter based on its presence in the URL or not. Currently, the documentation says it's set to uid by default, which is a problem if you do no want to use the default filter. I though about ignoring attribute if it's not present, but that might break compatibility. I'm fine with my patch's approach, but if you think another one is better, just tell me, I'll rework the patch.
Comment 1 Julien Danjou 2011-04-01 05:31:17 UTC
Created attachment 26822 [details]
Patch implementing that