Project

General

Profile

Actions

Feature #1817

closed

LDAP-Group support for HTTP-Authentication

Added by mr_bond about 16 years ago. Updated over 7 years ago.

Status:
Fixed
Priority:
Low
Category:
mod_auth
Target version:
ASK QUESTIONS IN Forums:

Description

Support for using ldap DN in auth-require, example:

auth.require = ( 
    "/" => (
        "method" => "basic",
        "realm" => "test lighty auth",
        "require" => "group=cn=coolguys,ou=groups,dc=foo,dc=org|user=admin|group=cn=group2,ou=groups,dc=foo,dc=org" 
    )
)

Patch also available at http://danielbond.org/patches/lighttpd-http_auth.c-ldap_group.diff



Files


Related issues 1 (0 open1 closed)

Related to Bug #134: Ldap Group/Filter SupportInvalidActions
Actions #1

Updated by stbuehler about 16 years ago

  • Target version changed from 1.4.20 to 1.4.21
  • Patch available changed from Yes to No
Actions #2

Updated by stbuehler about 16 years ago

  • Tracker changed from Bug to Feature
Actions #3

Updated by icy almost 16 years ago

  • Target version changed from 1.4.21 to 1.4.22
  • Patch available changed from No to Yes
Actions #4

Updated by stbuehler over 15 years ago

  • Target version changed from 1.4.22 to 1.4.23
Actions #5

Updated by stbuehler over 15 years ago

  • Target version changed from 1.4.23 to 1.4.24
Actions #6

Updated by stbuehler about 15 years ago

  • Assignee deleted (stbuehler)
  • Target version changed from 1.4.24 to 1.4.x
Actions #7

Updated by sanya over 11 years ago

here is a patch applicable for 1.4.31 and 1.4.32.
please, make this feature done! :-)

Actions #8

Updated by stbuehler over 11 years ago

  • Target version changed from 1.4.x to 1.4.33
  • Missing in 1.5.x set to No
Actions #9

Updated by stbuehler about 11 years ago

  • Status changed from Patch Pending to New
  • Target version changed from 1.4.33 to 1.4.x

Patch doesn't apply anymore to current svn. Is there a reason this can't be done with auth.backend.ldap.filter ? (I'm not a LDAP user myself, just a question)

Actions #10

Updated by sanya about 11 years ago

Is there a reason this can't be done with auth.backend.ldap.filter ?

because it is unimplemented :-)
'group=...' rule requires additional LDAP request -- we must get group members and check whether current user is in it or not.

Actions #11

Updated by brandocomando over 10 years ago

Is there anyway we can get a patch for 1.4.34?

Actions #12

Updated by sanya about 10 years ago

here is a patch adopted for 1.4.35

Actions #13

Updated by rajven almost 9 years ago

patch for 1.4.39.
check group membership by (memberUid=username) in basedn=groupdn.
added attr with default value:
auth.backend.ldap.groupmember = "memberUid"

Actions #14

Updated by gstrauss about 8 years ago

  • Status changed from New to Need Feedback

lighttpd 1.4.42 revamps mod_auth, creating modules for each backend, e.g. mod_authn_ldap.c
rajven, still interested in adding group support? If so, the mod_auth revamp will need to be slightly extended to do the authorization in each backend module, instead of just doing authentication in each backend module. I can help with that part if you're willing to make the LDAP group query more efficient.

Actions #15

Updated by gstrauss almost 8 years ago

  • Priority changed from Normal to Low

The revamped auth framework does the authorization in each module, so patches to extend LDAP queries should be isolated to mod_authn_ldap.

Actions #16

Updated by gstrauss almost 8 years ago

Some notes on the patch:

The patch as written (lighttpd-1.4.39-mod_auth-group-ldap.patch) makes a new connection for each "group=...|group=..." listed in the auth require config. If a local cache were implemented, then it might be better to store the contents of memberOf (in databases where memberOf is part of the user record), or else to query for the user's group membership and store that. Given that local caching is not done (though would be a nice feature to have), the patch should make a single query to ldap with all the group=... as part of the filter. In the typical case, this will probably be configured as a single group=..., so the current patch is probably good enough for most low-traffic uses.

Allowing auth.backend.ldap.groupmember to be specified is not sufficient since "memberUid", the default, is used with (memberUid=$username) whereas if "member" were used, it would likely need to use the user DN retrieved earlier in mod_authn_ldap, e.g. (member=$userDN) The patch should probably check auth.backend.ldap.groupmember for "memberUid" or "member" and then build the filter appropriately.

buffer *ldap_groupmember is unused.

Attached is an UNTESTED patch updated for lighttpd 1.4.44. It is still not very efficient (no caching of responses), but at least reuses the connection to the LDAP server.

Marking this ticket as "Missing Feedback" due to lack of response to earlier queries. If someone uses the new patch and it works (or doesn't), please report back here. Thx.

Actions #17

Updated by gstrauss almost 8 years ago

  • Target version deleted (1.4.x)
Actions #18

Updated by gstrauss almost 8 years ago

  • Related to Bug #134: Ldap Group/Filter Support added
Actions #19

Updated by sanya almost 8 years ago

Feedback: it works!
Tested on 1.4.43 and 1.4.44
Good work, thank you very much!

Btw, is it ok to see in error log lines like this: "(mod_auth.c.166) warning parsing auth.require 'require' field: 'group' not implemented; field value: group=..."?

Actions #20

Updated by gstrauss almost 8 years ago

Well, group=... is not implemented in the main lighttpd server, and so gets ignored at runtime.

With this patch, it is implemented for LDAP, but is still currently ignored for other backends.

It is just a warning, so you're welcome to disable it if using this patch.

Thanks for the feedback! I'll consider adding this to mod_authn_ldap in a future release.

Actions #21

Updated by gstrauss almost 8 years ago

  • Status changed from Missing Feedback to Patch Pending
  • Target version set to 1.4.46
Actions #22

Updated by gstrauss over 7 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100
Actions

Also available in: Atom