From 6ca78283e47a2385bfc3416bd5a98f998d991ece Mon Sep 17 00:00:00 2001 From: "Paul J. Reder" Date: Thu, 15 Nov 2007 19:48:24 +0000 Subject: [PATCH] Added documentation related to the nested group support that I added a while ago. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@595409 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/mod/mod_authnz_ldap.xml | 154 ++++++++++++++++++++++++++-- docs/manual/mod/mod_ldap.xml | 3 + 2 files changed, 150 insertions(+), 7 deletions(-) diff --git a/docs/manual/mod/mod_authnz_ldap.xml b/docs/manual/mod/mod_authnz_ldap.xml index c86387bfe2..20224d42d7 100644 --- a/docs/manual/mod/mod_authnz_ldap.xml +++ b/docs/manual/mod/mod_authnz_ldap.xml @@ -212,7 +212,8 @@ for HTTP Basic authentication.
  • Grant access if there is a Require ldap-group directive, and the DN fetched from the LDAP directory (or the username - passed by the client) occurs in the LDAP group.
    • + passed by the client) occurs in the LDAP group or, potentially, in + one of its sub-groups.
  • Grant access if there is a Require ldap-attribute @@ -289,6 +290,32 @@ for HTTP Basic authentication. user DN or the username when doing comparisons for the Require ldap-group directive. + + + AuthLDAPMaxSubGroupDepth + + Determines the maximum depth of sub-groups that will be evaluated + during comparisons in the Require ldap-group directive. + + + + AuthLDAPSubGroupAttribute + + Determines the attribute to use when obtaining sub-group members + of the current group during comparisons in the Require ldap-group + directive. + + + + AuthLDAPSubGroupClass + + Specifies the LDAP objectClass values used to identify if queried directory + objects really are group objects (as opposed to user objects) during the + Require ldap-group directive's sub-group processing. + @@ -365,10 +392,54 @@ uniqueMember: cn=Fred User, o=Airius
    Barbara:

    Require ldap-group cn=Administrators, o=Airius +

    Members can also be found within sub-groups of a specified LDAP group + if AuthLDAPMaxSubGroupDepth + is set to a value greater than 0. For example, assume the following entries + exist in the LDAP directory:

    + +dn: cn=Employees, o=Airius
    +objectClass: groupOfUniqueNames
    +uniqueMember: cn=Managers, o=Airius
    +uniqueMember: cn=Administrators, o=Airius
    +uniqueMember: cn=Users, o=Airius
    +
    +dn: cn=Managers, o=Airius
    +objectClass: groupOfUniqueNames
    +uniqueMember: cn=Bob Ellis, o=Airius
    +uniqueMember: cn=Tom Jackson, o=Airius
    +
    +dn: cn=Administrators, o=Airius
    +objectClass: groupOfUniqueNames
    +uniqueMember: cn=Barbara Jenson, o=Airius
    +uniqueMember: cn=Fred User, o=Airius
    +
    +dn: cn=Users, o=Airius
    +objectClass: groupOfUniqueNames
    +uniqueMember: cn=Allan Jefferson, o=Airius
    +uniqueMember: cn=Paul Tilley, o=Airius
    +uniqueMember: cn=Temporary Employees, o=Airius
    +
    +dn: cn=Temporary Employees, o=Airius
    +objectClass: groupOfUniqueNames
    +uniqueMember: cn=Jim Swenson, o=Airius
    +uniqueMember: cn=Elliot Rhodes, o=Airius
    +     + +

    The following directives would allow access for Bob Ellis, Tom Jackson, + Barbara Jensen, Fred User, Allan Jefferson, and Paul Tilley but would not + allow access for Jim Swenson, or Elliot Rhodes (since they are at a + sub-group depth of 2):

    + +Require ldap-group cn=Employees, o-Airius
    +AuthLDAPSubGroupDepth 1
    +     +

    Behavior of this directive is modified by the AuthLDAPGroupAttribute and - AuthLDAPGroupAttributeIsDN + module="mod_authnz_ldap">AuthLDAPGroupAttribute, AuthLDAPGroupAttributeIsDN, AuthLDAPMaxSubGroupDepth, AuthLDAPSubGroupAttribute, and AuthLDAPSubGroupClass directives.

    @@ -796,7 +867,8 @@ Require group mygroupfile AuthLDAPGroupAttribute -LDAP attributes used to check for group membership +LDAP attributes used to identify the user members of +groups. AuthLDAPGroupAttribute attribute directory.htaccess @@ -804,8 +876,8 @@ Require group mygroupfile

    This directive specifies which LDAP attributes are used to - check for group membership. Multiple attributes can be used by - specifying this directive multiple times. If not specified, + check for user members within groups. Multiple attributes can be used + by specifying this directive multiple times. If not specified, then mod_authnz_ldap uses the member and uniquemember attributes.

     @@ -835,6 +907,28 @@ group membership     + +AuthLDAPMaxSubGroupDepth +Specifies the maximum sub-group nesting depth that will be +evaluated before the user search is discontinued. +AuthLDAPMaxSubGroupDepth Number +AuthLDAPMaxSubGroupDepth 10 +directory.htaccess + +AuthConfig + + +

    When this directive is set to a non-zero value X + combined with use of the Require ldap-group someGroupDN + directive, the provided user credentials will be searched for + as a member of the someGroupDN directory object or of + any group member of the current group up to the maximum nesting + level X specified by this directive.

    +

    See the Require ldap-group + section for a more detailed example.

    +     +     + AuthLDAPRemoteUserAttribute Use the value of the attribute returned during the user @@ -877,6 +971,52 @@ environment variable + +AuthLDAPSubGroupAttribute +Specifies the attribute labels, one value per +directive line, used to distinguish the members of the current group that +are groups. +AuthLDAPSubGroupAttribute attribute +directory.htaccess + +AuthConfig + + +

    An LDAP group object may contain members that are users and + members that are groups (called nested or sub groups). The + AuthLDAPSubGroupAttribute directive identifies the + labels of group members and the AuthLDAPGroupAttribute + directive identifies the labels of the user members. Multiple + attributes can be used by specifying this directive multiple times. + If not specified, then mod_authnz_ldap uses the + member and uniqueMember attributes.

    +     +     + + +AuthLDAPSubGroupClass +Specifies which LDAP objectClass values identify directory +objects that are groups during sub-group processing. +AuthLDAPSubGroupClass LdapObjectClass +directory.htaccess + +AuthConfig + + +

    An LDAP group object may contain members that are users and + members that are groups (called nested or sub groups). The + AuthLDAPSubGroupAttribute directive identifies the + labels of members that may be sub-groups of the current group + (as opposed to user members). The AuthLDAPSubGroupClass + directive specifies the LDAP objectClass values used in verifying that + these potential sub-groups are in fact group objects. Verified sub-groups + can then be searched for more user or sub-group members. Multiple + attributes can be used by specifying this directive multiple times. + If not specified, then mod_authnz_ldap uses the + groupOfNames and groupOfUniqueNames values.

    +     +     + AuthLDAPUrl URL specifying the LDAP search parameters diff --git a/docs/manual/mod/mod_ldap.xml b/docs/manual/mod/mod_ldap.xml index e7764d991e..97c53d645a 100644 --- a/docs/manual/mod/mod_ldap.xml +++ b/docs/manual/mod/mod_ldap.xml @@ -155,6 +155,9 @@ by other LDAP modules the results of comparisons done between distinguished names.

    +

    Note that, when group membership is being checked, any sub-group + comparison results are cached to speed future sub-group comparisons.

    +

    The behavior of both of these caches is controlled with the LDAPOpCacheEntries and LDAPOpCacheTTL -- 2.40.0