How to pass all LDAP groups in request header?

[chrisinmtown]

We use mod_auth_openidc for authentication and an LDAP server for authorization, pretty much exactly as shown in https://github.com/zmartzone/mod_auth_openidc/wiki/Authorization#2-mod_authnz_ldap . We name a group in our httpd-ssl.conf that people must be in, and access is granted (or denied) based on the LDAP server's answer about an authenticated user. But today we only have one LDAP group; you're either in or out.

Next step: define and use multiple groups. For example, a user should be allowed privileged admin functions within our app only if the user is in the appropriate LDAP group. But that's not a decision the Apache HTTPD server can make.

Please tell me, is there a way to add all the user's LDAP group names in a request header going to our back-end server? That will let our server use the LDAP groups to make fine-grained decisions about data access based on user privileges.

I hope this question makes sense. Thanks in advance.

[zandbelt]

it is more of a question for/about mod_authz_ldap: it looks like environment variables are made available that can be used in mod_header's RequestHeader primitive to pass them on in a header. See: https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html#exposed

[chrisinmtown]

Thanks for the pointer to the authnz_ldap documentation. For anyone else who lands here, that module will expose any attribute of a user's entry in the LDAP server such as cn (common name), sn (surname), uid (user ID), etc. You must name the attribute in the AuthLDAPURL property. Here's example config to pass the uid:

AuthLDAPURL "ldap://server:1389/ou-users,dc=project?uid,cn,sn"
...
PassEnv AUTHORIZE_uid
RequestHeader set X-LDAP-uid %{AUTHORIZE_uid}e

But AFAICT the authnz_ldap module does NOT seem to define or publish any attributes from computed information such as the user's group memberships.