-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 One bit of fun you'll have is that Windows users expect groups to nest, but LDAP doesn't seem to do that. That is, you can have a group G some of whose members are groups G2, G3 etc. and an object which is only a member of (say) group G2 will be considered a member of group G as well -- by Windows, but not by LDAP. I'm struggling with this now. The only way to know whether a userID here has a relationship with a particular campus X is to test its membership in group cn=X-Campus. But (for my campus) X-Campus contains only twenty other groups X-Campus-N, and the 26,000 users on this campus are distributed across those groups, for reasons known only to those who define the groups. I could do a big stack of Require rules, one per -N group, but I'll never know when the central IT guys will decide to add another one. Short of some LDAP filter voodoo that does subqueries (whose existence sounds unlikely) it looks like I'm going to have to build a recursive membership test and then fit it onto Apache somehow (probably using mod_auth_external). - -- Mark H. Wood, Lead System Programmer mwood@xxxxxxxxx Open-source executable: $0.00. Source: $0.00 Control: priceless! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/ iD8DBQFEdb5Os/NR4JuTKG8RAorYAJ9ZbI7vLl4ZjjW4q7GoUghTOkss6gCeMh1x UXmZoCJEnXe9VkdLiGQbXeI= =tnlq -----END PGP SIGNATURE----- --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|