PATCH #40075 - using ldap groups that contain DNs and usernames for AuthZ

2006-12-18 Thread Johanna Bromberg Craig 

Hey,

I know that Brad said he's been slammed at day job work and as such  
has not been able to find time to review my most recent changes to my  
patch, but I'm just sending out my weekly nudge as I'm also under  
pressure at work to get this done. :)


Thanks,
Johanna

PATCH #40075 - using ldap groups that contain DNs and usernames for AuthZ

2006-12-11 Thread Johanna Bromberg Craig 

Hey,

I've addressed the last rounds of comments to my patch to  
mod_authnz_ldap. I haven't heard anything for a week, so I'm  
wondering, can someone please review these changes?


Thanks,
Johanna

PATCH #40075 - using ldap groups that contain DNs and usernames for AuthZ

2006-12-04 Thread Johanna Bromberg Craig 

Hi,

I've addressed the feedback I received on my patch from Brad Nicholes  
as follows:


I've reviewed all instances of util_ldap_compare() and  
util_ldap_cache_comparedn() to confirm that each is protected from  
cases where req-dn might be NULL or '\0'.


I've addressed the differences between AuthLDAPGroupAttributeDN,  
AuthLDAPGroupAttribute, and AuthzLDAPRequireDN.


Thanks,
Johanna

PATCH #40075 - using ldap groups that contain DNs and usernames for AuthZ

2006-11-07 Thread Johanna Bromberg Craig 

Hi,

I've addressed the feedback I received on my patch from Brad Nicholes  
as follows:


I've restored AuthLDAPGroupAttribute to its former syntax and added a
new directive, AuthLDAPGroupAttributeDN, whose attribute type is  
taken to be

dn regardless of the value of AuthLDAPGroupAttributeIsDN.

AuthLDAPGroupAttributeDN uses the same syntax as  
AuthLDAPGroupAttribute for the

sake of clarity.

Thanks,
Johanna

PATCH #40075 - using ldap groups that contain DNs and usernames for AuthZ

2006-07-19 Thread johanna bromberg craig 

I'm a web developer at the University of Michigan and one of the
authors of cosign ( http://weblogin.org ) which we use for (web)
authentication. As to authorization, we've been tweaking and tuning
mod_authz_ldap ( http://authzldap.othello.ch/ ) but we're really not
happy with the code base. We're currently still running Apache 1, but  
the

new mod_authnz_ldap has given us a very good reason to migrate to
Apache 2.2 this summer.

The only trouble is, we need to extend the functionality a bit.

We have identities at Michigan that don't have their own entries in
our LDAP directory, but they do appear in groups. This brings up a
few issues.

1) We'd like some way to say if we can't find a DN
for this identity, that's OK.

2) Since some of our users are in the directory ( have a person
entry ) and some are not,  AuthLDAPGroupAttributeisDN is not rich
enough for us. Many of our groups contain both DNs and usernames.
We'd like to extend AuthLDAPGroupAttribute to say whether the
attribute in question is a DN or username, and thus be able to
authorize both DNs and usernames for the same resource.

I've proposed a patch to mod_authnz_ldap that adds:

a) A new directive - AuthzLDAPRequireDN On | Off. On is the  
behavior we're looking for in issue #1 above, Off is the current  
default behavior, and this defaults to Off.


b) A second argument to AuthLDAPGroupAttribute - a second argument,  
dn, allows us the finer grain control we're looking for in issue #2  
above. If  the dn option is given, the attribute ( member, say ) must  
be a DN. If this type is not set, the global  
AuthLDAPGroupAttributeisDN is obeyed. ie it works as before.


Both of these changes are meant to be fully backward compatible with  
the behavior described in the existing documentation so no server  
admin should experience a surprise change upon an upgrade if this  
patch were accepted.


I expect this functionality to be useful to any site that splits  
their authN/authZ. In particular, any site that uses WebSSO ( Cosign,  
CAS, PubCookie, etc. )  for authN but LDAP for authZ.


Thanks.

-J