DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=42561>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=42561 [EMAIL PROTECTED] changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[EMAIL PROTECTED] ------- Additional Comments From [EMAIL PROTECTED] 2007-12-07 14:25 ------- I've developed this improvement independently, as I hit a real world example. We have a distributed authentication system with kerberos for authentication and ldap for authorization. So the user authenticates using GSSAPI or username/password. mod_auth_kerb passes the kerberos principal as user name, which includes the realm along with the real user name. Using the krb5Principal attribute as the key to search ldap allows me to find the correct entry. For the applications, however, we want the simple user name. For my modifications I copied even more strongly from the authentication function. You find "req->user = ..." in all these functions. After that the authentication does the following things before logging its success: 1. handle sec->user_is_dn resp. AuthLDAPRemoteUserIsDN 2. set AUTHENTICATE_* environment variables 3. handle sec->remote_user_attribute resp. AuthLDAPRemoteUserAttribute 4. sanity check that the requested attribute is really available I copied all these code fragments, as UserIsDN would be useful in an authorization-only scenario as well, more information in the environment might be useful to scripts (I replaced AUTHENTICATE with AUTHORIZE), and an error message in case of a missing attribute might help diagnosing errors. All this I copied after the "req->user = r->user" assignment at the end of the "if(!req)" block for authorization. I did my changes against the 2.2.x branch, where a single function handles authorization. Current trunk has four such functions, and exactly duplicate "if(!req)" blocks in each of these. That's a lot of code duplication; I didn't want to contribute to this by copying the stuff described above and pasting it four times. Instead I think this common code should be factored out, but I can't do this just now. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
