Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[PATCH] Added ability to look up operational attributes

Russ Allbery eagle at
Thu Apr 4 18:40:02 PDT 2013

Thanks for the patch!  I had a couple of questions about the details:

William Orr <worr at> writes:

> +    /*
> +     * If configured to look for operational attributes, query LDAP again for
> +     * all operational attributes and export them into the environment.
> +     */
> +     if (lc->dconf->oper_attribs != NULL) {
> +        if (lc->sconf->debug)
> +            ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
> +                "webauthldap: looking up operational attributes");
> +
> +        lc->attrs = apr_pcalloc(lc->r->pool, (sizeof(char*) * 2));
> +        lc->attrs[0] = LDAP_ALL_OPERATIONAL_ATTRIBUTES;
> +        lc->attrs[1] = NULL;
> +
> +        if (webauthldap_dosearch(lc) != 0) {
> +            apr_thread_mutex_unlock(lc->sconf->totalmutex); /* error: unlock */
> +            return DECLINED;
> +        }
> +
> +        /* Cool, we got the oper attrs, now set the envvars */
> +        for (i = 0; i<  lc->numEntries; i++)
> +            apr_table_do(webauthldap_exportattrib, lc, lc->entries[i], NULL);
> +        apr_table_do(webauthldap_attribnotfound, lc, lc->envvars, NULL);
> +
> +        if (lc->sconf->debug)
> +            ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server,
> +                "webauthldap: finished looking up params");
> +     }

You create a new distinguished list of operational attributes of
interest, but the above code doesn't seem to ever use that list?  Instead,
it looks like it just retrieves every operational attribute and puts them
all into the environment.  Was that the problem that you're trying to

A quick check with ldapsearch that I probably should have done earlier
seems to indicate that if one just adds a particular operational attribute
to the search filter, that works and returns that attribute, so I think
that, for the per-attribute code, nothing special has to be done to handle
operational attributes.  But maybe you're currently using "all" and the
goal was to come up with a version of "all" that was inclusive of
operational attributes?

You also do the search twice, but it looks like you can specify
operational attributes in the same search as regular attributes.

If the goal is to retrieve all operational attributes, I'm wondering if
would make sense to use some sort of keyword (like +) in the
WebAuthLdapAttribute directive to specify that all operational attributes
should be included.

Russ Allbery <eagle at>
Technical Lead, ITS Infrastructure Delivery Group, Stanford University

More information about the webauth-info mailing list