Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] protecting web server resources with grouper

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] protecting web server resources with grouper


Chronological Thread 
  • From: Shilen Patel <>
  • To: Chris Hyzer <>
  • Cc: Grouper Users Mailing List <>
  • Subject: Re: [grouper-users] protecting web server resources with grouper
  • Date: Fri, 29 May 2009 16:14:48 -0400

I use mod_authnz_ldap also but in a different way. Rather than telling the module to look at a group object in LDAP, I tell it to look at the isMemberOf attribute in the user object.

For instance:

require ldap-attribute ismemberof=name:of:group


-- Shilen



On May 29, 2009, at 3:40 PM, Chris Hyzer wrote:

Hey,

I am curious what people use to protect web resources with Grouper.
I have seen the apache module mod_authnz_ldap, and we have used that at Penn:

http://httpd.apache.org/docs/2.2/mod/mod_authz_groupfile.html

However, it is a little cumbersome to setup, and my understanding is that it downloads the entire group's membership list (at least with our LDAP setup) to see if one person is in the group. It does do caching though. So it isn't good for us for large membership lists (e.g. active Penn person). We made a patch to mod_authnz_ldap which does not download everything, though we haven't even really distributed this within Penn since we don't want to have to be the sole maintainers of it.

If there is not a better way to do this, if we coded a new Apache module based on mod_authnz_ldap (e.g. mod_grouper) which doesn't download the entire group list, and is easy to configure, would anyone be interested in helping to maintain it? We weren't planning on making modules for web servers other than apache... or is anyone interested in helping to maintain the mod_authnz_ldap patch (if we cannot get it contributed back to the module itself)

Thanks!
Chris




Archive powered by MHonArc 2.6.16.

Top of Page