Fix integration with Apache httpd mod_auth_ldap

[SleeplessAnnoyedNerd]

Hi,

just dumping this here maybe it helps someone. (And yes, I know, there exists a "direct" integration of PrivacyIDEA and Apache HTTPD 2.2. But there are always people who wants to do it differently. ;) )

Let's assume you use mod_auth_ldap for Apache HTTPD and want to use ldap proxy before your real LDAP server. So your configuration may look like the following snippet...

AuthType Basic
AuthName "Xxx Web Services"

AuthBasicProvider ldap
AuthLdapURL ldap://your-ldap-proxy|server/o=YourCompany,dc=YourCompany,dc=com?uid
AuthzLDAPAuthoritative on
AuthLDAPGroupAttributeIsDN off
AuthLDAPGroupAttribute memberUid

Current implementation of ldap proxy fails b/c of two reasons:

1. Referenced ldaptor (https://github.com/twisted/ldaptor/, 16.0.1) doesn't implement LDAPCompareRequest.
2. ldap proxy crashes and burns b/c it doesn't handle LDAPCompareRequest properly also.

My fix was to checkout current (34367e3ad5404b8f46def4a40d9eea4c375fa300) version of ldaptor and use that one. And also to modify proxy.py of ldap proxy a bit (line 283):

        elif isinstance(request, pureldap.LDAPCompareRequest):
            log.info('Incoming LDAPCompareRequest.')
            # log.info(request)
            return request, controls

(LDAPCompareRequest is used for checking of group membership.)

According to my quick and dirty tests it works. And I'm happy...

[fredreichbier]

Thanks a lot for sharing your experience! This is indeed very useful information :) I'll keep this issue open so we can see what we can do about the LDAP compare requests.