2018-06-20 19:16 GMT+02:00 Michael Ströder <mich...@stroeder.com>: > On 06/20/2018 06:04 PM, Clément OUDOT wrote: >> >> I don't know how it is managed on AD site. In LDAP point of view, the >> BIND has failed so I don't think you are authenticated as user. In this >> case I think PHP LDAP keeps the identity of previous BIND, which is done >> with the DN configured. > > > I'm not using SSP but I can't hold myself back because I think it's > important: > > 1. A LDAP client SHOULD NOT send subsequent different bind request on a > existing LDAP connection. It must open a new connection for each *new* bind. > So for applications like SSP you have use separate connections for the SSP's > service account and checking the user's password. Basically when checking > the user's password you always open a new connection.
This is not the case for the moment, and I don't see why it is needed. If a BIND is successful within a connection, the security context is updated after the operation. > 2. I really hope that AD drops to anonymous after a subsequent bind fails. A > LDAP server should not automagically keep the old security association. > You could check that by sending a LDAP Who Am I? extended operation in a > test script. Indeed, I join a tiny perl script that confirms what you said (tested on OpenLDAP). I don't know how AD behave with this. Script result: you are bound with authzId dn:cn=admin,dc=example,dc=com BIND error Invalid credentials you are bound with authzId you are bound with authzId dn:uid=coudot,ou=users,dc=example,dc=com Clément.
test-ldap-whoami.pl
Description: Perl program
_______________________________________________ ltb-users mailing list ltb-users@lists.ltb-project.org https://lists.ltb-project.org/cgi-bin/mailman/listinfo/ltb-users
