On Jul 29, 2009, at 5:59 AM, David Bond wrote: > I dont not want a configuration where there is a specific ldap > account used to authenticate the logons, I would like it to use the > users credentials to authenticate against AD. This connection should > also be secure, so doesnt expose any of the usernames or passwords. > The bigadmin document was the only one that i found which appeared > to do this for me, I have found it difficault to locate example > configurations that appear to be secure.
You don't want to use the user's credential to validate the user. That's a circular dependency that (at a minimum) leaves you open to a server-spoofing attack. You can avoid that problem by 1) using SSL/TLS to verify the LDAP server's identity, then you can use anonymous or user's credential to bind. Or 2) you use a host/proxy account to bind to the LDAP server. ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz at jpl.nasa.gov, or hbhotz at oxy.edu
