httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jess Holle <>
Subject Re: [users@httpd] Ldap Bind (w/ mod_auth_ldap)
Date Wed, 23 Apr 2008 14:03:42 GMT
Both Apache 2 and 2.2 work with LDAPs that disallow anonymous access, 
including AD, though you really need 2.2 for things to fully work as AD 
will close idle LDAP connections and 2.0 can't handle its connections 
being closed behind its back, whereas 2.2 can.

You do have to specify full DN and password in the Apache config, of course.

If you're wed to AD and have a stupid password change policy 
(Sarbannes-Oxley is inane in this regard -- this just encourages 
lower-quality passwords, writing down passwords, etc -- and appears to 
have been little more than corporate welfare for security/IT consulting 
companies in this regard), then you might try mod_auth_sspi if you're 
running Apache on Windows.

Jess Holle

Krist van Besien wrote:
> On Wed, Apr 23, 2008 at 3:05 PM, Harry Holt <> wrote:
>> Well... that was my assumption.  But looking at the trace, it is in fact
>> performing an anonymous search before attempting the bind.  Maybe it's
>> possible to specify a fully qualified DN and avoid the search, I don't know.
> That is the reason why I'm using a custom perl module in stead of the
> standard ldap modules. Our AD servers don't alloiw anonymous binds,
> and our password policy requires a password change every 6 weeks...
> These two things together made using mod_authz_ldap impractical.
> And the anonymous bind and ldap search is actually not needed when
> using an MS AD server. A little know feature of MS AD is that you can
> bind using "user@domain" as username. You can just test if a bind
> using this user, and the password supplied by the user is successfull.
> That is  what the perl module I use does. (The modules is
> Apache2::AuthenMSAD)
> Krist

View raw message