2008/2/14 Eric Covener <[EMAIL PROTECTED]>: > On Thu, Feb 14, 2008 at 9:13 AM, Radosław Antoniuk > <[EMAIL PROTECTED]> wrote: > > > So, Is it possible? The question is, is there a way of using the > > actual login/password credentials for the binding phase and if bind > > succeeds ==> authentication true and go to authorization phase? > > The problem you're hitting is that before Apache can use the > username/password provided, it needs to translate the "web" username > into an LDAP distinguished name by querying LDAP -- this is what the > BindDN/Password are for. > > Maybe your MSAD folks can setup a limited access user that can perform > this specific query?
There is a little know feature of AD that allows one to bind to the directory using <username>@<domain>. That way if you know the username and the domain (which is often the same for everyone) you can do an authenticate against an AD without having to bind first to find the dn. There is no native Apache modules that I am aware of that allows this though, however this would be extremely usufull. The Perl module AuthenMSAD howewer does exactly this, works very well, but you need mod_perl for it. I use it on my site, together with another perl authentication module that does caching, so that not every request results in a bind to the AD server. Krist -- [EMAIL PROTECTED] [EMAIL PROTECTED] Bremgarten b. Bern, Switzerland -- A: It reverses the normal flow of conversation. Q: What's wrong with top-posting? A: Top-posting. Q: What's the biggest scourge on plain text email discussions?
