Project

General

Profile

Feature #1817

LDAP-Group support for HTTP-Authentication

Added by mr_bond over 8 years ago. Updated about 2 months ago.

Status:
Fixed
Priority:
Low
Assignee:
-
Category:
mod_auth
Target version:
Start date:
2008-11-07
Due date:
% Done:

100%

Missing in 1.5.x:
No

Description

Support for using ldap DN in auth-require, example:

auth.require = ( 
    "/" => (
        "method" => "basic",
        "realm" => "test lighty auth",
        "require" => "group=cn=coolguys,ou=groups,dc=foo,dc=org|user=admin|group=cn=group2,ou=groups,dc=foo,dc=org" 
    )
)

Patch also available at http://danielbond.org/patches/lighttpd-http_auth.c-ldap_group.diff


lighttpd-http_auth.c-ldap_group.diff View - patch -p0 < patch, in root of tarball (6.07 KB) mr_bond, 2008-11-07 15:32

lighttpd-1.4.31-http_auth.c-ldap_group.diff View (6.08 KB) sanya, 2013-07-11 10:21

ldap-groups-1.4.35.patch.zip (2.84 KB) sanya, 2014-10-03 16:13

lighttpd-1.4.39-mod_auth-group-ldap.patch View (10 KB) rajven, 2016-01-22 13:00

lighttpd-1.4.44-mod_authn_ldap-group.patch View - *UNTESTED* (5.15 KB) gstrauss, 2016-12-23 01:50


Related issues

Related to Bug #134: Ldap Group/Filter Support Invalid

Associated revisions

Revision a401c946 (diff)
Added by gstrauss 7 months ago

[mod_auth] HTTP Basic auth backends also do authz (#1817)

HTTP Basic auth backends now do both authn and authz
in order to allow provide a means to extend backends to optionally
support group authz

x-ref:
"LDAP-Group support for HTTP-Authentication"
https://redmine.lighttpd.net/issues/1817

Revision 9c91af0c (diff)
Added by gstrauss 3 months ago

[mod_auth] support LDAP groups for HTTP auth (fixes #1817)

x-ref:
"LDAP-Group support for HTTP-Authentication"
https://redmine.lighttpd.net/issues/1817

History

#1 Updated by stbuehler over 8 years ago

  • Target version changed from 1.4.20 to 1.4.21
  • Patch available changed from Yes to No

#2 Updated by stbuehler over 8 years ago

  • Tracker changed from Bug to Feature

#3 Updated by icy about 8 years ago

  • Target version changed from 1.4.21 to 1.4.22
  • Patch available changed from No to Yes

#4 Updated by stbuehler about 8 years ago

  • Target version changed from 1.4.22 to 1.4.23

#5 Updated by stbuehler almost 8 years ago

  • Target version changed from 1.4.23 to 1.4.24

#6 Updated by stbuehler over 7 years ago

  • Assignee deleted (stbuehler)
  • Target version changed from 1.4.24 to 1.4.x

#7 Updated by sanya almost 4 years ago

here is a patch applicable for 1.4.31 and 1.4.32.
please, make this feature done! :-)

#8 Updated by stbuehler almost 4 years ago

  • Target version changed from 1.4.x to 1.4.33
  • Missing in 1.5.x set to No

#9 Updated by stbuehler over 3 years ago

  • Status changed from Patch Pending to New
  • Target version changed from 1.4.33 to 1.4.x

Patch doesn't apply anymore to current svn. Is there a reason this can't be done with auth.backend.ldap.filter ? (I'm not a LDAP user myself, just a question)

#10 Updated by sanya over 3 years ago

Is there a reason this can't be done with auth.backend.ldap.filter ?

because it is unimplemented :-)
'group=...' rule requires additional LDAP request -- we must get group members and check whether current user is in it or not.

#11 Updated by brandocomando about 3 years ago

Is there anyway we can get a patch for 1.4.34?

#12 Updated by sanya over 2 years ago

here is a patch adopted for 1.4.35

#13 Updated by rajven over 1 year ago

patch for 1.4.39.
check group membership by (memberUid=username) in basedn=groupdn.
added attr with default value:
auth.backend.ldap.groupmember = "memberUid"

#14 Updated by gstrauss 7 months ago

  • Status changed from New to Need Feedback

lighttpd 1.4.42 revamps mod_auth, creating modules for each backend, e.g. mod_authn_ldap.c
rajven, still interested in adding group support? If so, the mod_auth revamp will need to be slightly extended to do the authorization in each backend module, instead of just doing authentication in each backend module. I can help with that part if you're willing to make the LDAP group query more efficient.

#15 Updated by gstrauss 5 months ago

  • Priority changed from Normal to Low

The revamped auth framework does the authorization in each module, so patches to extend LDAP queries should be isolated to mod_authn_ldap.

#16 Updated by gstrauss 4 months ago

Some notes on the patch:

The patch as written (lighttpd-1.4.39-mod_auth-group-ldap.patch) makes a new connection for each "group=...|group=..." listed in the auth require config. If a local cache were implemented, then it might be better to store the contents of memberOf (in databases where memberOf is part of the user record), or else to query for the user's group membership and store that. Given that local caching is not done (though would be a nice feature to have), the patch should make a single query to ldap with all the group=... as part of the filter. In the typical case, this will probably be configured as a single group=..., so the current patch is probably good enough for most low-traffic uses.

Allowing auth.backend.ldap.groupmember to be specified is not sufficient since "memberUid", the default, is used with (memberUid=$username) whereas if "member" were used, it would likely need to use the user DN retrieved earlier in mod_authn_ldap, e.g. (member=$userDN) The patch should probably check auth.backend.ldap.groupmember for "memberUid" or "member" and then build the filter appropriately.

buffer *ldap_groupmember is unused.

Attached is an UNTESTED patch updated for lighttpd 1.4.44. It is still not very efficient (no caching of responses), but at least reuses the connection to the LDAP server.

Marking this ticket as "Missing Feedback" due to lack of response to earlier queries. If someone uses the new patch and it works (or doesn't), please report back here. Thx.

#17 Updated by gstrauss 4 months ago

  • Target version deleted (1.4.x)

#18 Updated by gstrauss 4 months ago

  • Related to Bug #134: Ldap Group/Filter Support added

#19 Updated by sanya 4 months ago

Feedback: it works!
Tested on 1.4.43 and 1.4.44
Good work, thank you very much!

Btw, is it ok to see in error log lines like this: "(mod_auth.c.166) warning parsing auth.require 'require' field: 'group' not implemented; field value: group=..."?

#20 Updated by gstrauss 4 months ago

Well, group=... is not implemented in the main lighttpd server, and so gets ignored at runtime.

With this patch, it is implemented for LDAP, but is still currently ignored for other backends.

It is just a warning, so you're welcome to disable it if using this patch.

Thanks for the feedback! I'll consider adding this to mod_authn_ldap in a future release.

#21 Updated by gstrauss 4 months ago

  • Status changed from Missing Feedback to Patch Pending
  • Target version set to 1.4.46

#22 Updated by gstrauss about 2 months ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom