You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2004/10/11 21:57:45 UTC
DO NOT REPLY [Bug 31428] -
mod_auth_ldap Nees READ Access to LDAP to auth
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=31428>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=31428
mod_auth_ldap Nees READ Access to LDAP to auth
wrolf.courtney@donovandata.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |wrolf.courtney@donovandata.c
| |om
Severity|Enhancement |Major
Priority|Other |Medium
------- Additional Comments From wrolf.courtney@donovandata.com 2004-10-11 19:57 -------
Version 2.0.51 behavior differs critically from 2.0.49.
The new behavior is that after authenticating the user with a SEARCH then a
BIND as the actual user, mod_auth_ldap/mod_ldap "logout" of LDAP, by issuing a
BIND request with null (anonymous). Then group membership is checked, but
anonymously - which in many cases (e.g. my Domino LDAP server) fails.
Previously, mod_auth_ldap stayed "logged in", leaving the BIND intact, and
allowing for querying of DN membership of groups.
I have confirmed this difference in an Ethereal trace.
Since the point of LDAP is to allow a single place for authentication and
authorization information within an environment, it is not reasonable to expect
the administrators of the LDAP servers to be the same group as the
administrator of a given Apache server. (In my case, they are not.)
Please return to the previous behavior.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org