Grouper Users - Open Discussion List

[Shilen Patel <>]

I use mod_authnz_ldap also but in a different way.  Rather than  
telling the module to look at a group object in LDAP, I tell it to  
look at the isMemberOf attribute in the user object.

For instance:

  require ldap-attribute ismemberof=name:of:group


-- Shilen



On May 29, 2009, at 3:40 PM, Chris Hyzer wrote:

> Hey,
>
> I am curious what people use to protect web resources with Grouper.
> I have seen the apache module mod_authnz_ldap, and we have used that  
> at Penn:
>
> http://httpd.apache.org/docs/2.2/mod/mod_authz_groupfile.html
>
> However, it is a little cumbersome to setup, and my understanding is  
> that it downloads the entire group's membership list (at least with  
> our LDAP setup) to see if one person is in the group.  It does do  
> caching though.  So it isn't good for us for large membership lists  
> (e.g. active Penn person).  We made a patch to mod_authnz_ldap which  
> does not download everything, though we haven't even really  
> distributed this within Penn since we don't want to have to be the  
> sole maintainers of it.
>
> If there is not a better way to do this, if we coded a new Apache  
> module based on mod_authnz_ldap (e.g. mod_grouper) which doesn't  
> download the entire group list, and is easy to configure, would  
> anyone be interested in helping to maintain it?  We weren't planning  
> on making modules for web servers other than apache...  or is anyone  
> interested in helping to maintain the mod_authnz_ldap patch (if we  
> cannot get it contributed back to the module itself)
>
> Thanks!
> Chris