Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 2555 invoked from network); 26 Jan 2010 12:07:09 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 26 Jan 2010 12:07:09 -0000 Received: (qmail 49146 invoked by uid 500); 26 Jan 2010 12:07:08 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 49042 invoked by uid 500); 26 Jan 2010 12:07:08 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 49033 invoked by uid 99); 26 Jan 2010 12:07:08 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Jan 2010 12:07:08 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of minfrin@sharp.fm designates 72.32.122.20 as permitted sender) Received: from [72.32.122.20] (HELO chandler.sharp.fm) (72.32.122.20) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 26 Jan 2010 12:07:00 +0000 Received: from chandler.sharp.fm (localhost [127.0.0.1]) by chandler.sharp.fm (Postfix) with ESMTP id D1C58780C0 for ; Tue, 26 Jan 2010 06:06:39 -0600 (CST) Received: from 87-194-125-14.bethere.co.uk (87-194-125-14.bethere.co.uk [87.194.125.14]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) (Authenticated sender: minfrin@sharp.fm) by chandler.sharp.fm (Postfix) with ESMTP id 81C36780B0 for ; Tue, 26 Jan 2010 06:06:39 -0600 (CST) Message-Id: <6E0320E9-0CF1-4051-8924-9E492EF29A41@sharp.fm> From: Graham Leggett To: dev@httpd.apache.org In-Reply-To: <1404e5911001251844q16c4dd24ie2493d1a6256b01@mail.gmail.com> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v936) Subject: Re: LDAP authentication: non-anonymous bind Date: Tue, 26 Jan 2010 14:06:34 +0200 References: <20100125130009.5fdbf39c@erker> <1404e5911001251844q16c4dd24ie2493d1a6256b01@mail.gmail.com> X-Mailer: Apple Mail (2.936) X-Virus-Scanned: ClamAV using ClamSMTP On 26 Jan 2010, at 4:44 AM, Eric Covener wrote: >> This new behaviour covers the two use cases described above (even >> though I did >> not check it in an Active Directory setup). > > Patch is nice and simple, but it would be great if someone with AD > leanings could confirm that this combination of HTTP username, > attribute, and basedn is likely to result in something that can bind > in a typical AD install. There are three possible scenarios for login: - User provides username, auth_ldap server does a search within the directory to find the DN corresponding to the username, and then attempts to bind as that DN. If it succeeds, you're in. This usually requires a DN of some kind to use to do the initial login to do the original search. (AD works fine in this scenario, on condition you have an account to bind and do the initial search with). - User provides username, auth_ldap applies the username to an admin- provided recipe of some kind to create the DN. This recipe needs to be flexible enough to support various scenarios, such as the base URL for the recipe being something other than the base URL for searches (think group searches, a group might not have the same base DN as the person). - User provides username, auth_ldap tries to bind directly with that username without first converting it to a DN. This is how AD would work. Ideally auth_ldap should support the above three methods, am I correct in understanding that the patch implements the second option above? (I don't have time to review it fully at the moment). Regards, Graham --