https://issues.apache.org/bugzilla/show_bug.cgi?id=48623
Summary: AuthLDAPURL syntax is not RFC-compliant, prevents
common failover scenarios
Product: Apache httpd-2
Version: 2.2.3
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: P2
Component: mod_authz_ldap
AssignedTo: [email protected]
ReportedBy: [email protected]
mod_authnz_ldap documentation says the first parameter to the AuthLDAPURL
directive is an RFC2255 LDAP URI (the current relevant RFCs are 4516 and 4510),
but the method which has been used for host failover breaks RFC compliance.
My mod_authnz_ldap, which came bundled with Red Hat Enterprise Linux v5.4 as
part of their httpd-2.2.3-31.el5_4.2 package, requires this for syntax:
transport://host host host host host:port/dn?filter-etc
this is not RFC compliant, you cannot embed multiple hosts like that. This is a
hack that prevents several commonplace LDAP failover usages.
This is the right way to do it:
transport://host:port/dn?filter-etc transport://host:port/dn?filter-etc
For example, in an arbitrarily complex two host failover setup:
AuthLDAPURL
ldap://127.0.0.1:9001/cn=mailboxes,dc=example,dc=edu?mailuid?one?objectclass=mailuser
ldaps://ldap.example.edu/ou=People,dc=example,dc=edu?uid?one?objectclass=posixAccount
(Note, buzilla's probably wrapping that, it should all be on one line.)
Any number of space-separated host specifications should be allowed, although
three will be enough for most real-world use cases.
Since RFC-compliant strings may contain spaces internally, quoting of
individual host specifications must be allowed.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
