> Hope commit over the next couple of days, just dispelled the two
bogus
> concerns I had. Can you suggest some doc on how your basic auth
> usernames have to relate to what is able to bind directly to the
LDAP
> server? I think the arrangement on your server w/ the UID being
able
> to bind as-is may be somewhat uncommon (paging any platform gurus)
Thanks Eric,
since I'm not native english speaker I'll try to explain things and
answer
your question using an example.
Let's start with an ldap entry:
dn: CN=ONE USER,OU=IT People,O=My Company
cn: ONE USER
objectclass: inetOrgPerson
objectclass: organizationalPerson
givenname: ONE
sn: USER
uid: one.user
...
In our case, the attribute used as basic auth username is "uid",
that's because
people at "My Company" are used to do so and because it's guaranteed
to be
unique, but other ones could be used (eg. "cn").
When the user types his user name (one.user) and the correct password
at the
basic auth prompt, the authentication phase succeeds, and the user
dn
(CN=ONE USER,OU=IT People,O=My Company) is fetched from the ldap
server.
Now suppose that the user wants to visit a location reseved to
admins, protected
with:
Require ldap-group CN=IT_Admins
and suppose that he is a member of that group:
dn: CN=IT_Admins
cn: IT_Admins
objectclass: groupOfNames
member: CN=DOMENICO ROTIROTI,OU=IT People,O=My Company
...
Authorization should succeed too, but with anonymous bind with our
server we get:
authorisation failed [Comparison complete][Insufficient access]
while configuring AuthLDAPBindDN/Password all goes fine:
authorisation successful (attribute member) [Comparison true (adding
to cache)]
So, the idea is to use the dn fetched from ldap (not the uid used in
basic auth)
and the user-provided password in the compare phase, so we don't have
to expose
bind information in config file.
To answer you question (how basic auth usernames have to relate
...):
The only requirement is that user can bind with their dn and password
and that
their username is stored in the attribute configured in AuthLDAPUrl.
The b.a. username is not used for bind, so I could switch uid with cn
changing just
AuthLDAPUrl and things would continue to work fine
Please let me know if something is not clear, I'll try to explain
better.
Domenico
We Love Megapixel ! Fino al 40% di sconto per le stampe formato 13x17/19. 0,12
€ cad. per quantità maggiori di 60 fotohttp://photo.tiscali.it
