httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "drotiro@tiscali.it" <drot...@tiscali.it>
Subject Re: [PATCH 48340] Binding as user in mod_authnz_ldap
Date Mon, 07 Dec 2009 13:49:43 GMT
> Hope commit over the next couple of days, just dispelled the two 
bogus
> concerns I had.  Can you suggest some doc on how your basic auth
> usernames have to relate to what is able to bind directly to the 
LDAP
> server? I think the arrangement on your server w/ the UID being 
able
> to bind as-is may be somewhat uncommon (paging any platform gurus)

Thanks Eric,
since I'm not native english speaker I'll try to explain things and 
answer 
your question using an example.

Let's start with an ldap entry:

	dn: CN=ONE USER,OU=IT People,O=My Company
	cn: ONE USER
	objectclass: inetOrgPerson
	objectclass: organizationalPerson
	givenname: ONE
	sn: USER
	uid: one.user
	...

In our case, the attribute used as basic auth username is "uid", 
that's because
people at "My Company" are used to do so and because it's guaranteed 
to be
unique, but other ones could be used (eg. "cn").

When the user types his user name (one.user) and the correct password 
at the
basic auth prompt, the authentication phase succeeds, and the user 
dn
(CN=ONE USER,OU=IT People,O=My Company) is fetched from the ldap 
server.

Now suppose that the user wants to visit a location reseved to 
admins, protected
with:

	Require ldap-group CN=IT_Admins
	
and suppose that he is a member of that group:

	dn: CN=IT_Admins
	cn: IT_Admins
	objectclass: groupOfNames
	member: CN=DOMENICO ROTIROTI,OU=IT People,O=My Company
	...

Authorization should succeed too, but with anonymous bind with our 
server we get:
	authorisation failed [Comparison complete][Insufficient access]
	
while configuring AuthLDAPBindDN/Password all goes fine:
	authorisation successful (attribute member) [Comparison true (adding 
to cache)]
	
So, the idea is to use the dn fetched from ldap (not the uid used in 
basic auth)
and the user-provided password in the compare phase, so we don't have 
to expose
bind information in config file.

To answer you question (how basic auth usernames have to relate 
...):
The only requirement is that user can bind with their dn and password 
and that 
their username is stored in the attribute configured in AuthLDAPUrl.
The b.a. username is not used for bind, so I could switch uid with cn 
changing just
AuthLDAPUrl and things would continue to work fine

Please let me know if something is not clear, I'll try to explain 
better.

Domenico


We Love Megapixel ! Fino al 40% di sconto per le stampe formato 13x17/19. 0,12 € cad. per
quantità maggiori di 60 fotohttp://photo.tiscali.it

Mime
View raw message