DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=38515>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=38515 [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO ------- Additional Comments From [EMAIL PROTECTED] 2007-03-18 20:10 ------- I'd really like to get something incorporated into the tree. However, I could use some help formulating a proper solution. I just sat down to create a new patch against the trunk. Here are my initial thoughts for the direction of the patch. * Need 2 new config directives 1) AuthLDAPEnableDynamicGroupLookups (defaults to off) - Determines whether dynamic group lookup is enabled 2) AuthLDAPDynamicGroupAttribute (defaults to "MemberURL") - Determines which attributes can contain dynamic group LDAP URIs * Dynamic group lookup is added to ldapgroup_check_authorization in mod_authnz_ldap.c. If enabled, we check dynamic group membership after regular (static) group membership Here is where it gets interesting. Checking for dynamic group membership involves the following steps: 1) Look for attributes in a group record that correspond to dynamic group LDAP URI's 2) Parse each result and perform a LDAP search to see if the current user DN is returned. Now, I would love to incorporate this feature into uldap_cache_compare in util_ldap.c, but I'm not sure if it will fit. I will have to add at least one argument to this function whose value dictates whether to invoke the special dereference-attribute-value-as-LDAP-URI-and-search functionality. Realistically, I will have to add more arguments that control how the search is performed (see the existing patch for what I mean). Is it acceptable to add all of these extra arguments, or should I just create a new function that handles dynamic group lookups explicitly (as is the behavior in the current patches)? Any comments from the peanut gallery? -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
