>>> On 3/24/2006 at 2:56:01 am, in message <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote: > Hi everybody, > > I would like to enhance this module to be able to match the username in > more than one attribut in an "OR" condition. > > Currently, this module uses the AuthLDAPURL: > > AuthLDAPURL > ldap://server/searchbase?attribute_containing_the_login?scope?additionnal_fi > lter > > it constructs the filter like this: > > (&(attribute_containing_the_login=provided_login)(additionnal_filter)) > > > but I think it could be usefull (I need it now ;)) to have more than one > "attribute_containing_the_login". > > > I see to way for doing this: > > Permit multiple attributes separated by comma in place of > attribute_containing_the_login, as stated in RFC 2255. > > resulting filter wille be: > > (&(|(attr1=provided_login)(attr2=provided_login)(...))(additionnal_filter)) > > > Or > > Permit to not provide "attribute_containing_the_login" but replace any > occurence of for example "%u" in the additionnal_filter by the provided > login. > > > I'm okay to provide a patch, but I would like to know your opinion on > those 2 way.
Submit a patch and let's take a look at what you are proposing. Keep in mind that the LDAP URL that mod_authnz_ldap consumes, already allow you to enter multiple comma delimited attributes as described by RFC 2255. However mod_authnz_ldap only recognizes the first attribute as the search attribute. All of the other listed attributes including the search attribute are used to extract the values as part of the request. Changing the format of the filter based on the attribute list in the LDAP URL would change the searching behavior without the administrator knowing that it happened. This could be very bad because just upgrading to a new version of mod_authnz_ldap and restarting Apache could completely change the way authentication is working. I would suggest that you go with your second proposal. That would provide the same type of functionality but without the upgrade surprise. Brad
