You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Ed Avis <ed...@waniasset.com> on 2009/02/26 16:21:15 UTC

[users@httpd] Re: Confused about LDAP authentication with Active Directory

Davide Bianchi <davide <at> walterisookeensufferukker.nl> writes:

>><http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html> imply that
>>Apache connects to the LDAP server using a fixed username and
>>password, and then merely queries the existence of an object in the
>>directory that matches the username. If so how does it check the
>>password supplied by the user?
>
>The problem is that in order to check the password, you need to 'bind'
>to the AD server using the correct DN, in order to find the DN you need
>to query the AD server with the username. But AD doesn't allow you to
>query it without first binding.

So what happens is this:

- Apache binds using a fixed username and password.
- It then tries to look up the username given using the query expression
specified in the config file.
- Then it binds again using this username and the password supplied by the user.

Is that correct?

If so, it seems unnecessary in the case of Active Directory, since AD allows you
to bind simply giving username and password (you don't have to give a full DN
when binding).

-- 
Ed Avis <ed...@waniasset.com>



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Re: Confused about LDAP authentication with Active Directory

Posted by Eric Covener <co...@gmail.com>.

> If so, it seems unnecessary in the case of Active Directory, since AD allows you
> to bind simply giving username and password (you don't have to give a full DN
> when binding).

It is unnecessary to perform the search if your users provide
something that can bind to the LDAP server directly.

Patches welcome (but it's unfortunately complicated by the
mod_ldap/mod_authnz_ldap separation)

-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org