Monthly Archives: February 2009

Apache httpd ldap-auth: canonicalize usernames

I created a patch for Apache httpd for ldap-authentication (reported upstream as bug #646646). In my scenario I used

AuthLDAPRemoteUserAttribute uid
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN Off
AuthBasicProvider ldap

require ldap-group cn=Domain Admins,ou=Group, dc=DOMAIN,dc=de

We always used lowercased usernames in memberUid. Some users tended to enter their usernames with a leading uppercase char. Password authentication worked, however, memberUid (from posixGroup, which is also used by samba domain groups) is case sensitive – so group authorization failed.

In order to fix this issue I created a patch for Apache httpd which allows to configure that the username Apache httpd uses is replaced by the “AuthLDAPRemoteUserAttribute”-field value of the ldap-result. This also helps to canonicalize usernames (in logs and REQUEST_USER environ variable) in the way that always the same casing and also for (ldap-)aliases the same username is used.