https://issues.apache.org/bugzilla/show_bug.cgi?id=48340
--- Comment #3 from Issac Goldstand <[email protected]> 2009-12-08 05:17:16 UTC --- (In reply to comment #0) > Created an attachment (id=24671) --> (https://issues.apache.org/bugzilla/attachment.cgi?id=24671) [details] > the proposed patch > I'm proposing a patch to use the username and password entered by the user in > the compare phase. > It does something similar to #43792, but differently: > - it uses the dn retreived from server, instead of appending a suffix to > username > - it saves the password in authn_ldap_request_t, as long as needed then wipes > it > It adds a new configuration flag: AuthLDAPBindAsUser > The flag defaults to off, when set to 'on' enable the bind as user behaviour > The patch is against 2.2.14. I'm wondering what we're accomplishing by doing the authorization with the bound user? We're already using the config-supplied DN and password to bind during the authentication phase, and your patch still requires authentication to be provided by mod_authnz_ldap (to cache the password for the authorization bind), so what are we gaining by binding as the user only in the latter phase? It's a bit confusing as at first read, I'd assumed that you were talking about the authentication bind, which would have made more sense, albeit would need to be documented as being as potentially dangerous as HTTP basic auth over the network (although this refers to the backend network), unless a secure connection to the LDAP server was used. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
