> Hope commit over the next couple of days, just dispelled the two bogus > concerns I had. Can you suggest some doc on how your basic auth > usernames have to relate to what is able to bind directly to the LDAP > server? I think the arrangement on your server w/ the UID being able > to bind as-is may be somewhat uncommon (paging any platform gurus)
Thanks Eric, since I'm not native english speaker I'll try to explain things and answer your question using an example. Let's start with an ldap entry: dn: CN=ONE USER,OU=IT People,O=My Company cn: ONE USER objectclass: inetOrgPerson objectclass: organizationalPerson givenname: ONE sn: USER uid: one.user ... In our case, the attribute used as basic auth username is "uid", that's because people at "My Company" are used to do so and because it's guaranteed to be unique, but other ones could be used (eg. "cn"). When the user types his user name (one.user) and the correct password at the basic auth prompt, the authentication phase succeeds, and the user dn (CN=ONE USER,OU=IT People,O=My Company) is fetched from the ldap server. Now suppose that the user wants to visit a location reseved to admins, protected with: Require ldap-group CN=IT_Admins and suppose that he is a member of that group: dn: CN=IT_Admins cn: IT_Admins objectclass: groupOfNames member: CN=DOMENICO ROTIROTI,OU=IT People,O=My Company ... Authorization should succeed too, but with anonymous bind with our server we get: authorisation failed [Comparison complete][Insufficient access] while configuring AuthLDAPBindDN/Password all goes fine: authorisation successful (attribute member) [Comparison true (adding to cache)] So, the idea is to use the dn fetched from ldap (not the uid used in basic auth) and the user-provided password in the compare phase, so we don't have to expose bind information in config file. To answer you question (how basic auth usernames have to relate ...): The only requirement is that user can bind with their dn and password and that their username is stored in the attribute configured in AuthLDAPUrl. The b.a. username is not used for bind, so I could switch uid with cn changing just AuthLDAPUrl and things would continue to work fine Please let me know if something is not clear, I'll try to explain better. Domenico We Love Megapixel ! Fino al 40% di sconto per le stampe formato 13x17/19. 0,12 € cad. per quantità maggiori di 60 fotohttp://photo.tiscali.it