DO NOT REPLY [Bug 31428] New: - mod_auth_ldap Nees READ Access to LDAP to auth

[bu...@apache.org]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=31428>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=31428

mod_auth_ldap Nees READ Access to LDAP to auth

           Summary: mod_auth_ldap Nees READ Access to LDAP to auth
           Product: Apache httpd-2.0
           Version: 2.0.51
          Platform: Other
        OS/Version: FreeBSD
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: mod_auth_ldap
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: david@kineticode.com


I had thought that when I set up mod_auth_ldap that it would attempt to
authenticate to the LDAP server using a dn for the user ID submitted in the
request. This would allow me to configure OpenLDAP so that anonymous users had
auth access only. But mod_auth_ldap doesn't work that way. What it does instead
is bind to the ldap server as anonymous (or the dn specified by AuthLDAPBindDN),
search for the appropriate user object, and then authenticate that user (bind
again?)?

I think of this is a minor security bug, as it means that I either need to allow
anonymous READ access to my people ou, or create a user just for mod_ldap_auth
to bind to that has READ access (and who's password will be in httpd.conf!).
Would it be possible to add a directive to mod_auth_ldap to have it bind to the
ldap server as the user attempting to auth? I'm thinking something like:

  AuthLDAPBindUser (uid=%s,ou=people,dc=example,dc=com)

Thanks!

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org