httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sebastian Tusk <sebastian.t...@gmx.net>
Subject auth_ldap authentication as user
Date Wed, 26 Feb 2003 22:49:24 GMT
Hi there,

i had some trouble to bring auth_ldap to work. I solved the problems but 
not to my complete satisfaction. The reason for this is the way 
auth_ldap does the authentication with the ldap server.

Here the sequence of operations auth_ldap does in a default ldap setup. 
In this setup anyone has read access to all data (except passwords) of 
the directory.

Operation				Bound As	Access

open connection to ldap server		--		--
bind as admin (dn and password provided by conf)
					admin		read/write

start authentication of user "name1"	admin		read/write
search for user "name1"			admin		read/write
bind as name1 (dn provided by search operation, password by user)
					name1		read
end authentication of user "name1"	name1		read

start authentication of user "name2"	name1		read
search for user "name2"			name1		read
bind as name2 (dn provided by search operation, password by user)
					name2		read
end authentication of user "name2"	name2		read
.
.
.

In my setup only the ldap admin has read access to the data in the 
directories. Nobody else has read access rights to the data. That works 
with pam and samba but not with auth_ldap. Here the sequence with the 
altered setup.

Operation				Bound As	Access

open connection to ldap server		--		--
bind as admin (dn and password provided by conf)
					admin		read/write

start authentication of user "name1"	admin		read/write
search for user "name1"			admin		read/write
bind as name1 (dn provided by search operation, password by user)
					name1		--
end authentication of user "name1"	name1		--

start authentication of user "name2"	name1		--
search for user "name2"			name1		--

Because of the missing access rights to the data the search fails and 
returns everytime zero results.

I think a solution would be to bind as admin before doing the search. As 
workaround i give read access to authenticated users.

Sebastian


Mime
View raw message