Mailing List Archive: Apache: Users

Apache LDAP authentication and non anonymous binding?

Index | Next | Previous | View Threaded

radek.antoniuk at gmail

Feb 14, 2008, 6:13 AM

Post #1 of 5 (191 views)
Permalink

Apache LDAP authentication and non anonymous binding?

Hey!

I'm just trying to configure LDAP authentication for apache, and it
looks like my scenario is not supported (or I can't find a word about
it).
I've read the docs on http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html.
Most of LDAP servers accept anonymous binding for the authentication
phase. Mine does not.
So, there are two options:
AuthLDAPBindDN An optional DN to bind with during the search phase.
AuthLDAPBindPassword An optional password to bind with during the search phase.

But the problem is that I need to bind to LDAP for this phase with the
credentials that are going to be checked. because:
1. my LDAP does not allow anonymous binding
2. i don't have any guest user that I want to connect with
3. obviously I don't want to use one real fixed user for all search
authentication lookups.

So, Is it possible? The question is, is there a way of using the
actual login/password credentials for the binding phase and if bind
succeeds ==> authentication true and go to authorization phase?

Thanks
Radek

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe[at]httpd.apache.org
" from the digest: users-digest-unsubscribe[at]httpd.apache.org
For additional commands, e-mail: users-help[at]httpd.apache.org

krist.vanbesien at gmail

Feb 14, 2008, 7:33 AM

Post #2 of 5 (167 views)
Permalink

Re: Apache LDAP authentication and non anonymous binding? [In reply to]

On Thu, Feb 14, 2008 at 3:13 PM, Radosław Antoniuk
<radek.antoniuk[at]gmail.com> wrote:

> But the problem is that I need to bind to LDAP for this phase with the
> credentials that are going to be checked. because:
> 1. my LDAP does not allow anonymous binding
> 2. i don't have any guest user that I want to connect with
> 3. obviously I don't want to use one real fixed user for all search
> authentication lookups.

Is your LDAP by any chance an MS AD server?

Krist

--
krist.vanbesien[at]gmail.com
krist[at]vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

radek.antoniuk at gmail

Feb 14, 2008, 7:55 AM

Post #3 of 5 (167 views)
Permalink

Re: Apache LDAP authentication and non anonymous binding? [In reply to]

2008/2/14 Krist van Besien <krist.vanbesien[at]gmail.com>:
> On Thu, Feb 14, 2008 at 3:13 PM, Radosław Antoniuk
> <radek.antoniuk[at]gmail.com> wrote:
>
> > But the problem is that I need to bind to LDAP for this phase with the
> > credentials that are going to be checked. because:
> > 1. my LDAP does not allow anonymous binding
> > 2. i don't have any guest user that I want to connect with
> > 3. obviously I don't want to use one real fixed user for all search
> > authentication lookups.
>
> Is your LDAP by any chance an MS AD server?
>
> Krist

Hey,

Yeap, Windows 2000 Active Directory.
That's a good point, I have just googled a bit for that one and found
http://search.cpan.org/~reggers/Apache2-AuthenMSAD-0.02/AuthenMSAD.pm

Any simpler more apache-native-modules methods?

Thanks,
Radek

covener at gmail

Feb 14, 2008, 9:31 AM

Post #4 of 5 (167 views)
Permalink

Re: Apache LDAP authentication and non anonymous binding? [In reply to]

On Thu, Feb 14, 2008 at 9:13 AM, Radosław Antoniuk
<radek.antoniuk[at]gmail.com> wrote:
> So, Is it possible? The question is, is there a way of using the
> actual login/password credentials for the binding phase and if bind
> succeeds ==> authentication true and go to authorization phase?

The problem you're hitting is that before Apache can use the
username/password provided, it needs to translate the "web" username
into an LDAP distinguished name by querying LDAP -- this is what the
BindDN/Password are for.

Maybe your MSAD folks can setup a limited access user that can perform
this specific query?

--
Eric Covener
covener[at]gmail.com

krist.vanbesien at gmail

Feb 14, 2008, 10:44 AM

Post #5 of 5 (161 views)
Permalink

Re: Apache LDAP authentication and non anonymous binding? [In reply to]

2008/2/14 Eric Covener <covener[at]gmail.com>:
> On Thu, Feb 14, 2008 at 9:13 AM, Radosław Antoniuk
> <radek.antoniuk[at]gmail.com> wrote:
>
> > So, Is it possible? The question is, is there a way of using the
> > actual login/password credentials for the binding phase and if bind
> > succeeds ==> authentication true and go to authorization phase?
>
> The problem you're hitting is that before Apache can use the
> username/password provided, it needs to translate the "web" username
> into an LDAP distinguished name by querying LDAP -- this is what the
> BindDN/Password are for.
>
> Maybe your MSAD folks can setup a limited access user that can perform
> this specific query?

There is a little know feature of AD that allows one to bind to the
directory using <username>@<domain>. That way if you know the username
and the domain (which is often the same for everyone) you can do an
authenticate against an AD without having to bind first to find the
dn.

There is no native Apache modules that I am aware of that allows this
though, however this would be extremely usufull.

The Perl module AuthenMSAD howewer does exactly this, works very well,
but you need mod_perl for it. I use it on my site, together with
another perl authentication module that does caching, so that not
every request results in a bind to the AD server.

Krist

--
krist.vanbesien[at]gmail.com
krist[at]vanbesien.org
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com