[ c.f. https://issues.apache.org/bugzilla/show_bug.cgi?id=48780 ]
Eric Covener has commented, and I replied, to my suggested enhancement for mod_auth_ldap. In this case, I am attempting to use LDAP for authorization, accepting authentication from another provider--this would most typically be mod_ssl, but I've seen other "in-family" cases in Bugzilla's history where people are working to integrate SSO with other authentication providers such as Kerberos [or more generally GSSAPI]. The as-is implementation re-binds the LDAP connection using the user and password provided to perform the compare phase. The proposed patch adds a [non-default] option to the LDAP provider that causes the compare phase to occur without a user-specific re-binding. In the comments, I contemplate various "sanity checks" to prevent--or at the very least strongly caution against--inappropriate, insecure uses of this option. --Pete
