Mailing List Archive

[Bug 65945] Enhance mod_authnz_ldap to set attribute with group memberships
https://bz.apache.org/bugzilla/show_bug.cgi?id=65945

Eric Covener <covener@gmail.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO

--- Comment #1 from Eric Covener <covener@gmail.com> ---
Can you clarify, do you mean "if httpd found the user in an ldap-group, set an
environment variable" listing the 1 group used? Even this could be tricky with
RequireAny, negated checks, etc.

I don't think there is a good/standard Apache can convey "all groups for
current user" because the the standard LDAP mechanism (like the schema you
describe) gives you a way to check only whether a given user is in a specific
given group. There is no standard interface for returning all groups of a given
user.

I am aware that some LDAP servers provide a "magic" attributes that retrieves
group memberships if they use the standard group schema -- such as
ibm-allGroups for IBM Security Directory Server.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65945] Enhance mod_authnz_ldap to set attribute with group memberships [ In reply to ]
https://bz.apache.org/bugzilla/show_bug.cgi?id=65945

--- Comment #2 from Chris Lott <christopher.lott@icloud.com> ---
Thanks Eric for the immediate reply! I would be grateful for any scrap of
information about groups.

Today we use "Require ldap-group cn=myusergroup,ou=groups,dc=myproject" to
authorize our users. This means we must name at least one group. And the LDAP
server successfully tests for membership in that group.

So if getting all groups is a non-starter due to all the complexity, how about
setting an attribute with the result of a test that's just like the "Require"
directive? For example, set attribute AUTHORIZE_MEMBER_myusergroup based on
the test "is member of group myusergroup"? If I could test for several groups,
setting a yes/no attribute for each, that would solve the problem nicely.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65945] Enhance mod_authnz_ldap to set attribute with group memberships [ In reply to ]
https://bz.apache.org/bugzilla/show_bug.cgi?id=65945

Chris Lott <christopher.lott@icloud.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |NEW

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65945] Enhance mod_authnz_ldap to set attribute with group memberships [ In reply to ]
https://bz.apache.org/bugzilla/show_bug.cgi?id=65945

--- Comment #3 from Ruediger Pluem <rpluem@apache.org> ---
What happens if you use for example

AuthLDAPURL "ldap://ldap1.example.com:389/ou=People,
o=Example?uid,memberof?sub?(objectClass=*)"

The important part is uid,memberof

This should give you an AUTHENTICATE_MEMBEROF environment variable with all
values of this attribute for the user separated by '; '.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65945] Enhance mod_authnz_ldap to set attribute with group memberships [ In reply to ]
https://bz.apache.org/bugzilla/show_bug.cgi?id=65945

--- Comment #4 from Chris Lott <christopher.lott@icloud.com> ---
Thanks Rüdiger for the suggestion about "memberof". I definitely tested that
but no luck.

I added "memberof" to the list of attributes in the AuthLDAPURL line, and I
added these config lines to httpd-ssl.conf:

PassEnv AUTHORIZE_memberof
RequestHeader set X-LDAP-Memberof %{AUTHORIZE_memberof}e

But the result was empty, here's log output from my Flask server dumping out
all header items:

2022-03-09T13:37:05+0000 DEBUG mysrv before_request: header ('X-Ldap-Memberof',
'')

I'm using a very simple LDAP server in a docker container - pulled image
bitnami/openldap:2.6 from Dockerhub

Also, the comments from Eric Covener seem to suggest it's impossible to query
an LDAP server for all the user's groups; you don't agree?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65945] Enhance mod_authnz_ldap to set attribute with group memberships [ In reply to ]
https://bz.apache.org/bugzilla/show_bug.cgi?id=65945

--- Comment #5 from Ruediger Pluem <rpluem@apache.org> ---
Have you tried

RequestHeader set X-LDAP-Memberof %{AUTHORIZE_MEMBEROF}s

instead (s instead of e) ?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65945] Enhance mod_authnz_ldap to set attribute with group memberships [ In reply to ]
https://bz.apache.org/bugzilla/show_bug.cgi?id=65945

--- Comment #5 from Ruediger Pluem <rpluem@apache.org> ---
Have you tried

RequestHeader set X-LDAP-Memberof %{AUTHORIZE_MEMBEROF}s

instead (s instead of e) ?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65945] Enhance mod_authnz_ldap to set attribute with group memberships [ In reply to ]
https://bz.apache.org/bugzilla/show_bug.cgi?id=65945

--- Comment #6 from Chris Lott <christopher.lott@icloud.com> ---
Hi Rüdiger, thanks for the suggestion. I tested it by adding 'memberof' to the
list of attributes in my AuthLDAPURL string, then added these config lines:

PassEnv AUTHORIZE_memberof
RequestHeader set X-LDAP-memberof-e %{AUTHORIZE_memberof}e
RequestHeader set X-LDAP-memberof-s %{AUTHORIZE_memberof}s


But the result was as before, with the slight difference that the "e" value is
the empty string and the "s" value is the 6-character sequence (null):

2022-03-10T13:19:40+0000 DEBUG tesrv before_request: header
('X-Ldap-Memberof-E', '')
2022-03-10T13:19:40+0000 DEBUG tesrv before_request: header
('X-Ldap-Memberof-S', '(null)')

Then I used the force & read the source. I checked file
https://github.com/apache/httpd/blob/trunk/modules/aaa/mod_authnz_ldap.c where
I could not find a single occurrence of string `memberof`. Is that the right
file to check for this feature?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65945] Enhance mod_authnz_ldap to set attribute with group memberships [ In reply to ]
https://bz.apache.org/bugzilla/show_bug.cgi?id=65945

--- Comment #7 from Ruediger Pluem <rpluem@apache.org> ---
The code that sets the values of attributes into the environment variables is
generic and hence greping for memberof will fail. Have a look here:

https://github.com/apache/httpd/blob/2ee9fefa98bf684d6c7263202a32947745db8bfb/modules/ldap/util_ldap.c#L1865-L1887

https://github.com/apache/httpd/blob/2ee9fefa98bf684d6c7263202a32947745db8bfb/modules/aaa/mod_authnz_ldap.c#L387-L408


Can you provide an ldiff of one of your users from your LDAP?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65945] Enhance mod_authnz_ldap to set attribute with group memberships [ In reply to ]
https://bz.apache.org/bugzilla/show_bug.cgi?id=65945

--- Comment #8 from Chris Lott <christopher.lott@icloud.com> ---
hi Rüdiger thanks for the links to code, I'll try to understand how that works.

I'm glad to provide a (sanitized) LDAP user entry, here's the structure we use:

dn: uid=tr01,ou=users,dc=myproject
objectClass: inetOrgPerson
uid: tr01
cn: Todd
sn: Rundgren

The LDIF file puts good old Todd Rundgren (and others) into a group like this:

dn: cn=my-user-group,ou=groups,dc=myproject
objectClass: groupOfUniqueNames
cn: my-user-group
uniqueMember: uid=tr01,ou=users,dc=myproject

So I was able to name attributes cn and sn in the AuthLDAPURL and use
environment variables AUTHORIZE_cn and AUTHORIZE_sn to pass on Todd's first and
last names over to our back-end server.

I suppose I could add an entry "groups" or something into Todd's user entry and
pass that attribute along, but that feels like a brutal hack, I'm not happy
about adding redundant information.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65945] Enhance mod_authnz_ldap to set attribute with group memberships [ In reply to ]
https://bz.apache.org/bugzilla/show_bug.cgi?id=65945

--- Comment #9 from Ruediger Pluem <rpluem@apache.org> ---
I just learned that memberof is an MS Active Directory (AD) specific virtual
attribute that AD calculates. Hence this only works if your LDAP server is an
AD. For other LDAP servers you need to have a look if there is such a special
attribute as Eric pointed out. If not I think there is currently no way to
figure this out.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org