httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Krist van Besien" <krist.vanbes...@gmail.com>
Subject Re: [users@httpd] Apache LDAP authentication and non anonymous binding?
Date Thu, 14 Feb 2008 18:44:20 GMT
2008/2/14 Eric Covener <covener@gmail.com>:
> On Thu, Feb 14, 2008 at 9:13 AM, Radosław Antoniuk
>  <radek.antoniuk@gmail.com> wrote:
>
> >  So, Is it possible? The question is, is there a way of using the
>  >  actual login/password credentials for the binding phase and if bind
>  >  succeeds ==> authentication true and go to authorization phase?
>
>  The problem you're hitting is that before Apache can use the
>  username/password provided, it needs to translate the "web" username
>  into an LDAP distinguished name by querying LDAP -- this is what the
>  BindDN/Password are for.
>
>  Maybe your MSAD folks can setup a limited access user that can perform
>  this specific query?

There is a little know feature of AD that allows one to bind to the
directory using <username>@<domain>. That way if you know the username
and the domain (which is often the same for everyone) you can do an
authenticate against an AD without having to bind first to find the
dn.

There is no native Apache modules that I am aware of that allows this
though, however this would be extremely usufull.

The Perl module AuthenMSAD howewer does exactly this, works very well,
but you need mod_perl for it. I use it on my site, together with
another perl authentication module that does caching, so that not
every request results in a bind to the AD server.

Krist







-- 
krist.vanbesien@gmail.com
krist@vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
Mime
View raw message