httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bennett, Tony" <Bennett.T...@con-way.com>
Subject RE: [users@httpd] Confused about LDAP authentication with Active Directory
Date Thu, 26 Feb 2009 16:08:11 GMT
> -----Original Message-----
> From: Davide Bianchi [mailto:davide@walterisookeensufferukker.nl] 
> Sent: Thursday, February 26, 2009 6:51 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] Confused about LDAP authentication with Active Directory
>
> Ed Avis wrote:
> > <http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html> imply that
> > Apache connects to the LDAP server using a fixed username and
> > password, and then merely queries the existence of an object in the
> > directory that matches the username. If so how does it check the
> > password supplied by the user?
> 
> The problem is that in order to check the password, you need to 'bind'
> to the AD server using the correct DN, in order to find the DN you need
> to query the AD server with the username. But AD doesn't allow you to
> query it without first binding.
> 
> So you need to bind in order to query, but you need to query to bind. Is
> a sort-of catch-22 situation. Hence the need for a fixed
> username/password to do the first query.
> 
> Davide

While this is true for 100% compliant LDAP servers, MS has "embraced and extended" 
what ActiveDirectory will accept for the user's DN... by "allowing" a Windows NT 
style login in the place of the DN.
The Windows NT style login is in this format:
	Domain\username
Where Domain is the ActiveDirectory Domain, and the username is the ActiveDirectory
samAccountName.

-tony

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message