Re: [users@httpd] Confused about LDAP authentication with Active Directory

[Eric Covener <co...@gmail.com>]

On Thu, Feb 26, 2009 at 1:42 PM, Peter Schober
<pe...@univie.ac.at> wrote:
> * Davide Bianchi <da...@walterisookeensufferukker.nl> [2009-02-26 19:33]:
>> Well, to be picky, an 100% compliant LDAP server doesn't require to
>> bind to do a first-level query, so you should be able to get your DN
>> without the need for a fixed username/password.
>
> Making a "query" without a "bind" in one sentence makes no sense to
> me. Be it an anonymous bind or a bind with a dn supplies, you bind,
> then you search.

In LDAPv3, the bind is optional.

-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Confused about LDAP authentication with Active Directory

[Eric Covener <co...@gmail.com>]

On Fri, Feb 27, 2009 at 9:30 AM, Mark H. Wood <mw...@iupui.edu> wrote:
> On Thu, Feb 26, 2009 at 01:59:13PM -0500, Eric Covener wrote:
>> In LDAPv3, the bind is optional.
>
> However, without a non-anonymous bind, ADS will cheerfully accept your
> connection and as cheerfully return no information, regardless the
> validity of your query.  To actually get results out of ADS you have
> to identify yourself.

No disagreement here; OOTB ADS requires authentication for searches
and does provide a decent error msg.

A previous post dropped the context of my reply:

> Making a "query" without a "bind" in one sentence makes no sense to
> me. Be it an anonymous bind or a bind with a dn supplies, you bind,
> then you search.


-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Confused about LDAP authentication with Active Directory

["Mark H. Wood" <mw...@IUPUI.Edu>]

On Thu, Feb 26, 2009 at 01:59:13PM -0500, Eric Covener wrote:
> In LDAPv3, the bind is optional.

However, without a non-anonymous bind, ADS will cheerfully accept your
connection and as cheerfully return no information, regardless the
validity of your query.  To actually get results out of ADS you have
to identify yourself.

-- 
Mark H. Wood, Lead System Programmer   mwood@IUPUI.Edu
Friends don't let friends publish revisable-form documents.

Re: [users@httpd] Confused about LDAP authentication with Active Directory

[Peter Schober <pe...@univie.ac.at>]

* Eric Covener <co...@gmail.com> [2009-02-26 20:06]:
> In LDAPv3, the bind is optional.

OK, I see it in the RFC. But it seems it's not optional in httpd.
Also you can't produce searches without binds with e.g. ldapsearch.
And it won't make much of a difference to the OP, since an anonymous
bind (i.e. not specifiying AuthLDAPBindDN) and search will be
functionally equivalent to a connect + search.

cheers,
-peter

-- 
peter.schober@univie.ac.at - vienna university computer center
Universitaetsstrasse 7, A-1010 Wien, Austria/Europe
Tel. +43-1-4277-14155, Fax. +43-1-4277-9140

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org