Filter by group attribute using mod authnz_ldap

Hi,

Would it be possible to filter users not only by user attributes or
groups but also by attributes of group using authnz_ldap?

Example:

Users:
cn: First Last, ou: people, dc: lol
cn: Second Last, ou: pople, dc: lol

Groups:
cn: lord, ou: group, dc: lol
member: First Last
attribute111: yes

Now, if attribute111 is yes, auth succeeds.


If not, what would be your recommendation, how to solve this task?


Br,
Margus

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Filter by group attribute using mod authnz_ldap

Hi,

Mxrgus Pxrt schrieb:

> Would it be possible to filter users not only by user attributes or
> groups but also by attributes of group using authnz_ldap?
>
> Example:
>
> Users:
> cn: First Last, ou: people, dc: lol
> cn: Second Last, ou: pople, dc: lol
>
> Groups:
> cn: lord, ou: group, dc: lol
> member: First Last
> attribute111: yes
>
> Now, if attribute111 is yes, auth succeeds.
>
>
> If not, what would be your recommendation, how to solve this task?
Hm, if there was any group-filter setting ...
But you have to _name_ the ldap-group anyone, don't you? So just name
LDAP groups here which have the attribute. :)

If you use AuthLDAPBindDN for searching ldap by apache, you could "hide"
other groups than these with the attribute by ACL on the ldap server.



Marc

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: Filter by group attribute using mod authnz_ldap

Marc Patermann wrote:
> Hi,
>
> Mxrgus Pxrt schrieb:
>
>> Would it be possible to filter users not only by user attributes or
>> groups but also by attributes of group using authnz_ldap?
>>
>> Example:
>>
>> Users:
>> cn: First Last, ou: people, dc: lol
>> cn: Second Last, ou: pople, dc: lol
>>
>> Groups:
>> cn: lord, ou: group, dc: lol
>> member: First Last
>> attribute111: yes
>>
>> Now, if attribute111 is yes, auth succeeds.
>>
>>
>> If not, what would be your recommendation, how to solve this task?
> Hm, if there was any group-filter setting ...
> But you have to _name_ the ldap-group anyone, don't you? So just name
> LDAP groups here which have the attribute. :)
>
> If you use AuthLDAPBindDN for searching ldap by apache, you could
> "hide" other groups than these with the attribute by ACL on the ldap
> server.
>
>
>
> Marc

Both solutions what you offered are not good enough.

By defining groups one by one in ldap-group or messing around per group
in ACL of ldap server I would not gain anything, I need filtering by
group attribute.

As I understand best solutions would be:
a. http://code.google.com/p/mod-auth-external/ - create dynamic python
program for example what would filter by using group attribute
b. patch current mod_authz_ldap

Variant A seems a bit less messy (future problems on updates etc with
variant B). Can anyone of you recommend something better?









------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org