Lars Kruse wrote:
Hi,
the attached patch adds a second option for non-anonymous binds to the
authnz_ldap module. Please consider it for adoption.
I've applied it to 2.2.14 today and tested on windows (AD).
It can't bind if the exact ldap folder is unknown.
Let's say we have users not in OU=Users, but in OU=Developers and OU=QA.
In order for developer to authenticate http would have to bind to AD
with search base "OU=Developers,dc=company,dc=com". But in order for QA
person, searach base should be different: "QA=Developers,dc=company,dc=com".
Let's say we do search by sAMAccountName. Then with current approach the
search base generate: "sAMAccountName=<user name>,dc=company,dc=com".
Such search base does not exist.
In order to search in subfolders, search base should be static, meaning
set in config file. And user name (variable part) should go into filter.
Then it will be possible to search in "dc=company,dc=com" including
subfolders by filter "(&(objectClass=user)(sAMAccountName=<user name>)"
I managed to make it working (dirty hack):
I bind with username as is (must be <user name>@organization.com), and
attribute in AuthLdapUrl should be set to "userPrincipalName".
So I changed the code:
- sec->binddn = apr_psprintf(r->pool, "%s=%s,%s", sec->attribute, user,
sec->basedn);
+ sec->binddn = apr_psprintf(r->pool, "%s", user);
The current situation:
The authnz_ldap module supports only one kind of non-anonymous bind to the ldap
server: by specifying the username ("binddn") and password ("bindpw") in an
apache config file. This is obviously not a very pretty thing, since you need
to take good care for file permissions (as an admin) and also users may feel a
little bit uncomfortable to put their plaintext login data into an htaccess
file.
Now, if we are at it, can we discuss encryption? Authnz_ldap will
request AD in plain text. Not good. Without AuthLDAPAuthOnBind only
single pseudo-user account was compromised with in ON, everybody's
account will travel across the network in plain text, even if you
connect to https via ssl!
I played a little bit with Apache Directory Studio, and I could connect
to AD only in 2 cases.
No encryption; Simple Authentication (plain text)
No encryption; Digest-md5 (SASL)
Any chance we can leverage digest-md5 authentication method?
Othervise I would allow only ssl-emabled connection to AD. May be with
some option "enable plain text if you know what you are doing".
Vadim.
