Hi all, I am not sure if this is the right place for a proposal which would IMHO improve the LDAP authentication feature.
The LDAP authentication feature is really cool, but unfortunately it is a little limited as the DN
must include the user name entered in the authentication dialogue, which is typically the user ID
(uid). In my OpenLDAP installation, the DN contains the CN ("cn=Jack D. Ripper,dc=..."),
but not the uid. Thus, the "usual" single sign-on is not possible.
A simple solution would be to optionally /search/ LDAP for the dn matching
"uid=...", and then use the dn returned from the search to bind as password
verification (I think this is what e.g. Apache does).
Thus, I modified the OpenVAS sources (openvas-libraries-8.0.6) by
- adding a bool flag to optionally use the 'authdn' config item as search
pattern for searching the actual dn,
- adding a search base config item, and
- extending the ldap bind procedure by first binding anonymously and searching
the dn when requested.
This works just nicely with my OpenLDAP installation which allows an anonymous
search. If this is not possible (as with AD?), two more config items for a
search user dn and password could be added easily.
Opinions? Are you interested in my solution?
Cheers
Albrecht.
pgpiK8vIF3six.pgp
Description: PGP signature
_______________________________________________ Openvas-discuss mailing list [email protected] https://lists.wald.intevation.org/cgi-bin/mailman/listinfo/openvas-discuss
