Grouper Users - Open Discussion List

[Chris Hyzer <>]

I see.  I don't think we can do that, we don't have people with lists of 
groups, only groups with lists of people.  And the "read" privilege in 
grouper is provisioned to ldap so that ldap users can only query groups they 
can "read".  If they can read a group the ldap user can see the group and all 
"hasMember" values of that group.  This is with openldap.

Thanks,
Chris

> -----Original Message-----
> From: Shilen Patel 
> [mailto:]
> Sent: Friday, May 29, 2009 4:15 PM
> To: Chris Hyzer
> Cc: Grouper Users Mailing List
> Subject: Re: [grouper-users] protecting web server resources with
> grouper
> 
> I use mod_authnz_ldap also but in a different way.  Rather than
> telling the module to look at a group object in LDAP, I tell it to
> look at the isMemberOf attribute in the user object.
> 
> For instance:
> 
>    require ldap-attribute ismemberof=name:of:group
> 
> 
> -- Shilen
> 
> 
> 
> On May 29, 2009, at 3:40 PM, Chris Hyzer wrote:
> 
> > Hey,
> >
> > I am curious what people use to protect web resources with Grouper.
> > I have seen the apache module mod_authnz_ldap, and we have used that
> > at Penn:
> >
> > http://httpd.apache.org/docs/2.2/mod/mod_authz_groupfile.html
> >
> > However, it is a little cumbersome to setup, and my understanding is
> > that it downloads the entire group's membership list (at least with
> > our LDAP setup) to see if one person is in the group.  It does do
> > caching though.  So it isn't good for us for large membership lists
> > (e.g. active Penn person).  We made a patch to mod_authnz_ldap which
> > does not download everything, though we haven't even really
> > distributed this within Penn since we don't want to have to be the
> > sole maintainers of it.
> >
> > If there is not a better way to do this, if we coded a new Apache
> > module based on mod_authnz_ldap (e.g. mod_grouper) which doesn't
> > download the entire group list, and is easy to configure, would
> > anyone be interested in helping to maintain it?  We weren't planning
> > on making modules for web servers other than apache...  or is anyone
> > interested in helping to maintain the mod_authnz_ldap patch (if we
> > cannot get it contributed back to the module itself)
> >
> > Thanks!
> > Chris