httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 48340] Binding with user-supplied credentials
Date Tue, 08 Dec 2009 13:17:19 GMT

--- Comment #3 from Issac Goldstand <> 2009-12-08 05:17:16 UTC ---
(In reply to comment #0)
> Created an attachment (id=24671)
 --> ( [details]
> the proposed patch
> I'm proposing a patch to use the username and password entered by the user in
> the compare phase.
> It does something similar to #43792, but differently:
>  - it uses the dn retreived from server, instead of appending a suffix to
> username
>  - it saves the password in authn_ldap_request_t, as long as needed then wipes
> it
> It adds a new configuration flag: AuthLDAPBindAsUser
> The flag defaults to off, when set to 'on' enable the bind as user behaviour
> The patch is against 2.2.14.

I'm wondering what we're accomplishing by doing the authorization with the
bound user?  We're already using the config-supplied DN and password to bind
during the authentication phase, and your patch still requires authentication
to be provided by mod_authnz_ldap (to cache the password for the authorization
bind), so what are we gaining by binding as the user only in the latter phase?

It's a bit confusing as at first read, I'd assumed that you were talking about
the authentication bind, which would have made more sense, albeit would need to
be documented as being as potentially dangerous as HTTP basic auth over the
network (although this refers to the backend network), unless a secure
connection to the LDAP server was used.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message