i had some trouble to bring auth_ldap to work. I solved the problems but not to my complete satisfaction. The reason for this is the way auth_ldap does the authentication with the ldap server.
Here the sequence of operations auth_ldap does in a default ldap setup. In this setup anyone has read access to all data (except passwords) of the directory.
Operation Bound As Access
open connection to ldap server -- --
bind as admin (dn and password provided by conf)
admin read/writestart authentication of user "name1" admin read/write
search for user "name1" admin read/write
bind as name1 (dn provided by search operation, password by user)
name1 read
end authentication of user "name1" name1 readstart authentication of user "name2" name1 read
search for user "name2" name1 read
bind as name2 (dn provided by search operation, password by user)
name2 read
end authentication of user "name2" name2 read
.
.
.In my setup only the ldap admin has read access to the data in the directories. Nobody else has read access rights to the data. That works with pam and samba but not with auth_ldap. Here the sequence with the altered setup.
Operation Bound As Access
open connection to ldap server -- --
bind as admin (dn and password provided by conf)
admin read/writestart authentication of user "name1" admin read/write
search for user "name1" admin read/write
bind as name1 (dn provided by search operation, password by user)
name1 --
end authentication of user "name1" name1 --start authentication of user "name2" name1 -- search for user "name2" name1 --
Because of the missing access rights to the data the search fails and returns everytime zero results.
I think a solution would be to bind as admin before doing the search. As workaround i give read access to authenticated users.
Sebastian
