You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Sebastian Tusk <se...@gmx.net> on 2003/02/26 23:49:24 UTC
auth_ldap authentication as user
Hi there,
i had some trouble to bring auth_ldap to work. I solved the problems but
not to my complete satisfaction. The reason for this is the way
auth_ldap does the authentication with the ldap server.
Here the sequence of operations auth_ldap does in a default ldap setup.
In this setup anyone has read access to all data (except passwords) of
the directory.
Operation Bound As Access
open connection to ldap server -- --
bind as admin (dn and password provided by conf)
admin read/write
start authentication of user "name1" admin read/write
search for user "name1" admin read/write
bind as name1 (dn provided by search operation, password by user)
name1 read
end authentication of user "name1" name1 read
start authentication of user "name2" name1 read
search for user "name2" name1 read
bind as name2 (dn provided by search operation, password by user)
name2 read
end authentication of user "name2" name2 read
.
.
.
In my setup only the ldap admin has read access to the data in the
directories. Nobody else has read access rights to the data. That works
with pam and samba but not with auth_ldap. Here the sequence with the
altered setup.
Operation Bound As Access
open connection to ldap server -- --
bind as admin (dn and password provided by conf)
admin read/write
start authentication of user "name1" admin read/write
search for user "name1" admin read/write
bind as name1 (dn provided by search operation, password by user)
name1 --
end authentication of user "name1" name1 --
start authentication of user "name2" name1 --
search for user "name2" name1 --
Because of the missing access rights to the data the search fails and
returns everytime zero results.
I think a solution would be to bind as admin before doing the search. As
workaround i give read access to authenticated users.
Sebastian
Re: auth_ldap authentication as user
Posted by Graham Leggett <mi...@sharp.fm>.
Sebastian Tusk wrote:
> I do. Can you please reread my previous post. That is not the problem.
> The problem is that for the first user auth_ldap binds as admin with the
> binddn and the bindpassword provided in the httpd.conf. But then
> auth_ldap binds as the user that has authenticated.
For the purposes of finding out whether that person's password is
correct. This is correct behaviour.
> The problem is that
> this user may not have enough previleges to do further searches. But
> auth_ldap uses searches as part of the authentication process.
So what you are saying is that the group search, etc is happening while
bound as a user, rather than bound as the admin? If this is the case it
is a bug - please add it to the bugzilla database so it does not fall
through the cracks.
Regards,
Graham
--
-----------------------------------------
minfrin@sharp.fm "There's a moon
over Bourbon Street
tonight..."
Re: auth_ldap authentication as user
Posted by Sebastian Tusk <se...@gmx.net>.
>> i had some trouble to bring auth_ldap to work. I solved the problems
>> but not to my complete satisfaction. The reason for this is the way
>> auth_ldap does the authentication with the ldap server.
>>
>> Here the sequence of operations auth_ldap does in a default ldap
>> setup. In this setup anyone has read access to all data (except
>> passwords) of the directory.
>
>
> Use the AuthLDAPBindDN and AuthLDAPBindPassword directives to solve
> this. Details are in the manual.
I do. Can you please reread my previous post. That is not the problem.
The problem is that for the first user auth_ldap binds as admin with the
binddn and the bindpassword provided in the httpd.conf. But then
auth_ldap binds as the user that has authenticated. The problem is that
this user may not have enough previleges to do further searches. But
auth_ldap uses searches as part of the authentication process.
Regards,
Sebastian
Re: auth_ldap authentication as user
Posted by Graham Leggett <mi...@sharp.fm>.
Sebastian Tusk wrote:
> i had some trouble to bring auth_ldap to work. I solved the problems but
> not to my complete satisfaction. The reason for this is the way
> auth_ldap does the authentication with the ldap server.
>
> Here the sequence of operations auth_ldap does in a default ldap setup.
> In this setup anyone has read access to all data (except passwords) of
> the directory.
Use the AuthLDAPBindDN and AuthLDAPBindPassword directives to solve
this. Details are in the manual.
Regards,
Graham
--
-----------------------------------------
minfrin@sharp.fm "There's a moon
over Bourbon Street
tonight..."