mod_authnz_ldap and env vars?

Is there a way to acquire the group via code, like a server 

environment variable (e.g., like REMOTE_USER) of the group
authorized  
by a require ldap-group (or any group)?  This would be
extremely  
helpful in applications where a page would have features
depending on  
the access level of the user.  Currently we have to query
the LDAP(AD  
in this case) to get the group and set it in an environment 

variable.  It seems like this is double work, we'd like to
dedicate  
the authentication/authorization handling to apache. 
Something like  
a REMOTE_GROUP which would contain an LDAP attribute we
could  
specify.  Using apache 2.2 and active directory 2000.

Rich

------------------------------------------------------------
---------
The official User-To-User support forum of the Apache HTTP
Server Project.
See <URL:http://htt
pd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribehttpd.apache.org
   "   from the digest: users-digest-unsubscribehttpd.apache.org
For additional commands, e-mail: users-helphttpd.apache.org

Hi Richard,

On 29/09/2007, Richard N. Fogle <richneosaint.org> wrote:
> Is there a way to acquire the group via code, like a
server
> environment variable (e.g., like REMOTE_USER) of the
group authorized
> by a require ldap-group (or any group)?  This would be
extremely

I agree that it would be wonderful if something like
"REMOTE_GROUP"
existed (as long as it's clear how multiple-group membership
is
expressed). For administrators, I agree that the job is best
done in
Apache (plus its LDAP caching can be used). Personally, I
have patched
mod_auth_ldap.c as you suggested, so that the group matched
by
'Require group' is added to the environment. This has been
running
quite well. And what a relief it's been!! It is not quite as
useful as
enumerating _all_ the groups that the principal belongs to,
so any of
our applications that need this are still required to do
their own
LDAP queries. Maybe this is not alwaysw so bad, since it
means that
Apache does not waste time enumerating everybody's entire
group
membership for every web hit! Overall, your request seems
entirely
possible, but I have not contributed a patch back to Apache
yet.

James.

------------------------------------------------------------
---------
The official User-To-User support forum of the Apache HTTP
Server Project.
See <URL:http://htt
pd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribehttpd.apache.org
   "   from the digest: users-digest-unsubscribehttpd.apache.org
For additional commands, e-mail: users-helphttpd.apache.org

James,

Thanks for the response, I quite agree this is something
that I would  
logically expect to be included.  Would you mind posting
your patch?   
Even if it doesn't get merged I'm sure I'm not the only one
who needs  
to know this information.  It makes little sense to have all
these  
tables contain usernames/passwords/group auth while we have
a  
perfectly capable active directory infrastructure we can
draw upon.   
Unfortunately, without the capability to see the groups the
user logs  
in under we would have to resort to writing all this into
the  
application, so we'd replace one type of code with another
type of  
auth code instead of pushing it on the web server where (I
believe)  
it belongs.

R

On Sep 28, 2007, at 8:19 PM, James Devenish wrote:

> Hi Richard,
>
> On 29/09/2007, Richard N. Fogle <richneosaint.org> wrote:
>> Is there a way to acquire the group via code, like
a server
>> environment variable (e.g., like REMOTE_USER) of
the group authorized
>> by a require ldap-group (or any group)?  This would
be extremely
>
> I agree that it would be wonderful if something like
"REMOTE_GROUP"
> existed (as long as it's clear how multiple-group
membership is
> expressed). For administrators, I agree that the job is
best done in
> Apache (plus its LDAP caching can be used). Personally,
I have patched
> mod_auth_ldap.c as you suggested, so that the group
matched by
> 'Require group' is added to the environment. This has
been running
> quite well. And what a relief it's been!! It is not
quite as useful as
> enumerating _all_ the groups that the principal belongs
to, so any of
> our applications that need this are still required to
do their own
> LDAP queries. Maybe this is not alwaysw so bad, since
it means that
> Apache does not waste time enumerating everybody's
entire group
> membership for every web hit! Overall, your request
seems entirely
> possible, but I have not contributed a patch back to
Apache yet.
>
> James.
>
>
------------------------------------------------------------
---------
> The official User-To-User support forum of the Apache
HTTP Server  
> Project.
> See <URL:http://htt
pd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribehttpd.apache.org
>    "   from the digest:
users-digest-unsubscribehttpd.apache.org
> For additional commands, e-mail: users-helphttpd.apache.org
>


------------------------------------------------------------
---------
The official User-To-User support forum of the Apache HTTP
Server Project.
See <URL:http://htt
pd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribehttpd.apache.org
   "   from the digest: users-digest-unsubscribehttpd.apache.org
For additional commands, e-mail: users-helphttpd.apache.org