LDAP-Group support for HTTP-Authentication
Support for using ldap DN in auth-require, example:
auth.require = ( "/" => ( "method" => "basic", "realm" => "test lighty auth", "require" => "group=cn=coolguys,ou=groups,dc=foo,dc=org|user=admin|group=cn=group2,ou=groups,dc=foo,dc=org" ) )
Patch also available at http://danielbond.org/patches/lighttpd-http_auth.c-ldap_group.diff
- Status changed from New to Need Feedback
lighttpd 1.4.42 revamps mod_auth, creating modules for each backend, e.g. mod_authn_ldap.c
rajven, still interested in adding group support? If so, the mod_auth revamp will need to be slightly extended to do the authorization in each backend module, instead of just doing authentication in each backend module. I can help with that part if you're willing to make the LDAP group query more efficient.
- File lighttpd-1.4.44-mod_authn_ldap-group.patch lighttpd-1.4.44-mod_authn_ldap-group.patch added
- Status changed from Need Feedback to Missing Feedback
Some notes on the patch:
The patch as written (lighttpd-1.4.39-mod_auth-group-ldap.patch) makes a new connection for each "group=...|group=..." listed in the auth require config. If a local cache were implemented, then it might be better to store the contents of memberOf (in databases where memberOf is part of the user record), or else to query for the user's group membership and store that. Given that local caching is not done (though would be a nice feature to have), the patch should make a single query to ldap with all the group=... as part of the filter. In the typical case, this will probably be configured as a single group=..., so the current patch is probably good enough for most low-traffic uses.
Allowing auth.backend.ldap.groupmember to be specified is not sufficient since "memberUid", the default, is used with (memberUid=$username) whereas if "member" were used, it would likely need to use the user DN retrieved earlier in mod_authn_ldap, e.g. (member=$userDN) The patch should probably check auth.backend.ldap.groupmember for "memberUid" or "member" and then build the filter appropriately.
buffer *ldap_groupmember is unused.
Attached is an UNTESTED patch updated for lighttpd 1.4.44. It is still not very efficient (no caching of responses), but at least reuses the connection to the LDAP server.
Marking this ticket as "Missing Feedback" due to lack of response to earlier queries. If someone uses the new patch and it works (or doesn't), please report back here. Thx.
Well, group=... is not implemented in the main lighttpd server, and so gets ignored at runtime.
With this patch, it is implemented for LDAP, but is still currently ignored for other backends.
It is just a warning, so you're welcome to disable it if using this patch.
Thanks for the feedback! I'll consider adding this to mod_authn_ldap in a future release.
Also available in: Atom