Just wanted to update you on my attempts to authenticate against an openLDAP server as secondary directory server (but not an Active Directory Server) for users and groups;
I managed to get it working, with compromising greatly on the security =) I was using wireshark to understand how openthinclient send the LDAP bind request from the login screen to the openLDAP server (setup as secodary directory). It seems that loginscreen sends only "cn=Manager" part even though Read only principal (under thinclient server) is complete with dn suffix (such as cn=Manager,dc=mydomain,dc=com). I have no idea why this is happening, perhaps You can shed some light on it. On openthinclient server, i setup the Secondary Directory Server as following; Secondary Directory LDAP URL: ldap://localhost:389/dc=mydomain,dc=com Read only principal: [empty] Password: [empty] And the slapd.conf for openLDAP server has the following config (the rest of the config truncated): database bdb suffix "dc=mydomain,dc=com" #rootdn "cn=Manager,dc=mydomain,dc=com" #rootpw secret where the rootdn and rootpw is disabled, so the above configuration on thinclient Server for secondary login works! The bind request will work without supplying read only principal, authenticate and validate the user login. Obviously, this is remotely secure as openldap is not secured itself. *** If i enable the rootdn and rootpw and configure the thinclient server as following: Secondary Directory LDAP URL: ldap://localhost:389/dc=mydomain,dc=com Read only principal: cn=Manager,dc=mydomain,dc=com Password: secret Restart a thinclient, run wireshark to filter LDAP, and attempt to login to the thinclient: Bind Request always only sends the cn=Manager to authenticate which results in Invalid Credentials and the authentication of thin client to fail (???) I found no evidence on why this might be happening, only a remote possibility that it might be customized for Active Directory's LDAP implementation (??) Ideally, i would love to run the openLDAP server with a secure Root and read-only principal. If you see an obvious mistake in my slapd.conf and aware of any ways to overcome this problem, please let me know. For users, I copied the cn=users nodes from openthinclient LDAP over to openLDAP server and the default MD5-base64 hashed passwords works ok. I realized, if i change the password to clear text in cn=users under openLDAP, authentication will take place. I believe this is a feature of LDAP where it negotiates the password checking/authentication according to the hash (enlighten me if im missing something crucial). I would compile this in an article for other users that might be looking for alternate secondary directory authentication besides Active Directory. All the best. -- View this message in context: http://www.nabble.com/Secondary-Directory-%3E-Bind-Req.-doesn%27t-send-the-full-principal-tp19477692p19477692.html Sent from the openthinclient.org users' mailing list mailing list archive at Nabble.com. ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ The Open Source Thin Client Solution http://openthinclient.org [email protected] https://lists.sourceforge.net/lists/listinfo/openthinclient-user
