RE: patch for mod_ldap_authnz
This is an alternate path that I considered in my AuthType Cert work. I didn't choose it, because it was actually meaningful in my situation to declare a user with an otherwise valid certificate unauthenticated if no matching LDAP record could be found. I agree with Eric that AUTHENTICATE_ isn't the best prefix [of course, we need to respect the installed base that may be depending upon it]. I think a more appropriate prefix might be LDAP_attributename [semantically I think this is a better way to hint that the value for the attribute came from an LDAP search]. -Original Message- From: Eric Covener [mailto:cove...@gmail.com] Sent: Tuesday, April 27, 2010 10:37 PM To: dev@httpd.apache.org Subject: Re: patch for mod_ldap_authnz On Tue, Apr 27, 2010 at 9:25 PM, Kevin Kalupson kjk...@kevinkal.com wrote: Hi, mod_authnz_ldap will put the attributes from the AuthLdapUrl in the request environmental variables if ldap is the authentication source. However, if mod_authnz_ldap is only providing Authorization and another module is the authentication source, the attributes are not available as request variables. Anyone have feelings about LDAP-as-authorizer adding entries to AUTHENTICATE_*? Seems like an unfortunate name given the nature of the data people are likely to plug into with this. Perhaps hide it behind a directive in mod_authnz_ldap and let users pick the prefix during authz? -- Eric Covener cove...@gmail.com
RE: patch for mod_ldap_authnz
-Original Message- From: Eric Covener Sent: Mittwoch, 28. April 2010 04:37 To: dev@httpd.apache.org Subject: Re: patch for mod_ldap_authnz On Tue, Apr 27, 2010 at 9:25 PM, Kevin Kalupson kjk...@kevinkal.com wrote: Hi, mod_authnz_ldap will put the attributes from the AuthLdapUrl in the request environmental variables if ldap is the authentication source. However, if mod_authnz_ldap is only providing Authorization and another module is the authentication source, the attributes are not available as request variables. Anyone have feelings about LDAP-as-authorizer adding entries to AUTHENTICATE_*? Seems like an unfortunate name given the nature of the data people are likely to plug into with this. We shouldn't use the AUTHENTICATE_* prefix in this case. It should be something different to distiguish the cases. Regards Rüdiger
Re: patch for mod_ldap_authnz
I agree all around. I would like it if there were a sane default prefix. LDAP_* makes sense to me. I like the idea of being able to set the prefix with a directive in the configuration file. -Kevin On 4/28/10 3:37 AM, Plüm, Rüdiger, VF-Group wrote: -Original Message- From: Eric Covener Sent: Mittwoch, 28. April 2010 04:37 To: dev@httpd.apache.org Subject: Re: patch for mod_ldap_authnz On Tue, Apr 27, 2010 at 9:25 PM, Kevin Kalupson kjk...@kevinkal.com wrote: Hi, mod_authnz_ldap will put the attributes from the AuthLdapUrl in the request environmental variables if ldap is the authentication source. However, if mod_authnz_ldap is only providing Authorization and another module is the authentication source, the attributes are not available as request variables. Anyone have feelings about LDAP-as-authorizer adding entries to AUTHENTICATE_*? Seems like an unfortunate name given the nature of the data people are likely to plug into with this. We shouldn't use the AUTHENTICATE_* prefix in this case. It should be something different to distiguish the cases. Regards Rüdiger
Re: patch for mod_ldap_authnz
On Tue, Apr 27, 2010 at 9:25 PM, Kevin Kalupson kjk...@kevinkal.com wrote: Hi, mod_authnz_ldap will put the attributes from the AuthLdapUrl in the request environmental variables if ldap is the authentication source. However, if mod_authnz_ldap is only providing Authorization and another module is the authentication source, the attributes are not available as request variables. Anyone have feelings about LDAP-as-authorizer adding entries to AUTHENTICATE_*? Seems like an unfortunate name given the nature of the data people are likely to plug into with this. Perhaps hide it behind a directive in mod_authnz_ldap and let users pick the prefix during authz? -- Eric Covener cove...@gmail.com
