Feature #1817
closedLDAP-Group support for HTTP-Authentication
Description
Support for using ldap DN in auth-require, example:
auth.require = (
"/" => (
"method" => "basic",
"realm" => "test lighty auth",
"require" => "group=cn=coolguys,ou=groups,dc=foo,dc=org|user=admin|group=cn=group2,ou=groups,dc=foo,dc=org"
)
)
Patch also available at http://danielbond.org/patches/lighttpd-http_auth.c-ldap_group.diff
Files
Updated by stbuehler over 15 years ago
- Target version changed from 1.4.20 to 1.4.21
- Patch available changed from Yes to No
Updated by icy about 15 years ago
- Target version changed from 1.4.21 to 1.4.22
- Patch available changed from No to Yes
Updated by stbuehler about 15 years ago
- Target version changed from 1.4.22 to 1.4.23
Updated by stbuehler almost 15 years ago
- Target version changed from 1.4.23 to 1.4.24
Updated by stbuehler over 14 years ago
- Assignee deleted (
stbuehler) - Target version changed from 1.4.24 to 1.4.x
Updated by sanya almost 11 years ago
here is a patch applicable for 1.4.31 and 1.4.32.
please, make this feature done! :-)
Updated by stbuehler almost 11 years ago
- Target version changed from 1.4.x to 1.4.33
- Missing in 1.5.x set to No
Updated by stbuehler over 10 years ago
- Status changed from Patch Pending to New
- Target version changed from 1.4.33 to 1.4.x
Patch doesn't apply anymore to current svn. Is there a reason this can't be done with auth.backend.ldap.filter ? (I'm not a LDAP user myself, just a question)
Updated by sanya over 10 years ago
Is there a reason this can't be done with auth.backend.ldap.filter ?
because it is unimplemented :-)
'group=...' rule requires additional LDAP request -- we must get group members and check whether current user is in it or not.
Updated by brandocomando about 10 years ago
Is there anyway we can get a patch for 1.4.34?
Updated by sanya over 9 years ago
here is a patch adopted for 1.4.35
Updated by rajven over 8 years ago
patch for 1.4.39.
check group membership by (memberUid=username) in basedn=groupdn.
added attr with default value:
auth.backend.ldap.groupmember = "memberUid"
Updated by gstrauss over 7 years ago
- Status changed from New to Need Feedback
lighttpd 1.4.42 revamps mod_auth, creating modules for each backend, e.g. mod_authn_ldap.c
rajven, still interested in adding group support? If so, the mod_auth revamp will need to be slightly extended to do the authorization in each backend module, instead of just doing authentication in each backend module. I can help with that part if you're willing to make the LDAP group query more efficient.
Updated by gstrauss over 7 years ago
- Priority changed from Normal to Low
The revamped auth framework does the authorization in each module, so patches to extend LDAP queries should be isolated to mod_authn_ldap.
Updated by gstrauss over 7 years ago
- File lighttpd-1.4.44-mod_authn_ldap-group.patch lighttpd-1.4.44-mod_authn_ldap-group.patch added
- Status changed from Need Feedback to Missing Feedback
Some notes on the patch:
The patch as written (lighttpd-1.4.39-mod_auth-group-ldap.patch) makes a new connection for each "group=...|group=..." listed in the auth require config. If a local cache were implemented, then it might be better to store the contents of memberOf (in databases where memberOf is part of the user record), or else to query for the user's group membership and store that. Given that local caching is not done (though would be a nice feature to have), the patch should make a single query to ldap with all the group=... as part of the filter. In the typical case, this will probably be configured as a single group=..., so the current patch is probably good enough for most low-traffic uses.
Allowing auth.backend.ldap.groupmember to be specified is not sufficient since "memberUid", the default, is used with (memberUid=$username) whereas if "member" were used, it would likely need to use the user DN retrieved earlier in mod_authn_ldap, e.g. (member=$userDN) The patch should probably check auth.backend.ldap.groupmember for "memberUid" or "member" and then build the filter appropriately.
buffer *ldap_groupmember is unused.
Attached is an UNTESTED patch updated for lighttpd 1.4.44. It is still not very efficient (no caching of responses), but at least reuses the connection to the LDAP server.
Marking this ticket as "Missing Feedback" due to lack of response to earlier queries. If someone uses the new patch and it works (or doesn't), please report back here. Thx.
Updated by gstrauss over 7 years ago
- Related to Bug #134: Ldap Group/Filter Support added
Updated by sanya over 7 years ago
Feedback: it works!
Tested on 1.4.43 and 1.4.44
Good work, thank you very much!
Btw, is it ok to see in error log lines like this: "(mod_auth.c.166) warning parsing auth.require 'require' field: 'group' not implemented; field value: group=..."?
Updated by gstrauss over 7 years ago
Well, group=... is not implemented in the main lighttpd server, and so gets ignored at runtime.
With this patch, it is implemented for LDAP, but is still currently ignored for other backends.
It is just a warning, so you're welcome to disable it if using this patch.
Thanks for the feedback! I'll consider adding this to mod_authn_ldap in a future release.
Updated by gstrauss over 7 years ago
- Status changed from Missing Feedback to Patch Pending
- Target version set to 1.4.46
Updated by gstrauss about 7 years ago
- Status changed from Patch Pending to Fixed
- % Done changed from 0 to 100
Applied in changeset 9c91af0cfddd1e80978e38700af035b7bdb6ca1b.
Also available in: Atom