Hello,
It's my first post to the list which I'm reading regularly, so I hope I'll break as few rules as possible.
I'm looking to extend mod_auth_ldap to check if the user is a member of the POSIX group (standard procedure for PAM-LDAP, for
instance). As opposed to regular LDAP groups where membership is stored in the attribute of the _user_ object, POSIX group is a
separate object of class `posixGroup' which has a _list_of_ members, in the series of `memberUid' attributes. User objects have
objectClass values `posixAccount' and `shadowAccount' in addition to structural class `person' or `inetOrgPerson'.
My plan is to implement an authorization check in the form of "Require posixGroup <group>". I can see that mod_auth_ldap in the
"require" phase only checkes cached info, so I need to collect all groups in the authentication phase. I think I need a separate
query, roughly spelled as "(&(objectClass=posixGroup)(memberUid=<auth-user-uid>))", where <auth-user-uid> is the `uid' attribute
(or equivalent) of the authenticated user. Then, I need to store the list of POSIX groups in the LDAP cache together with the
user information in the `util_ldap_cache_checkuserid' function of `util_ldap.c' module, probably using `posixGroup' as a
"meta-attribute". What I mean is, each group name will be put into the cache as an attribute value, but it will be a
"calculated" attribute rather than a "real" one.
I still don't understand the code completely, but I hope to use `util_ldap_cache_compare' in `util_ldap.c' as is, to see if a
particular user has an attribute `posixGroup' with the value of the group given in "Require posixGroup ...".
I wanted to ask for any feedback before I start this. Thank you!
Sergey.
