Apache LDAP Authentication: Can I bind the user without searching for the DN first?

apache-2.2 active-directory authentication ldap mod-auth-ldap
5,942

Solution 1

Unfortunately, it seems that mod_auth_ldap insists on building and executing a search instead of just attempting the bind with a DN that you give it. It's in the majority, in my experience; most applications that hit active directory via ldap (as opposed to, say, using the native NT user APIs) would rather search-then-bind instead of just trying to bind.

On the plus side (if you can call it that), a user account with no rights of any kind should satisfy your needs as long as there's nothing hectic going on permissions-wise in your ldap tree; membership in Authenticated Users should be enough to do all your search user needs to do. It can even be stripped out of Domain Users and assigned a different primary group; that should soften up the local bureaucracy a bit.

Solution 2

Actually, the options in Apache 2.3 seems to be AuthLDAPInitialBindAsUser and AuthLDAPInitialBindPattern.

The AuthLDAPCompareAsUser and AuthLDAPSearchAsUser are somewhat related, but those sound like they only take effect after the initial bind has taken place.

I haven't actually tried it (since I don't have apache 2.3 installed anywhere, at least not yet) but I think the config you need is something like this:

AuthLDAPInitialBindAsUser  on
AuthLDAPInitialBindPattern (.+) cn=$1,OU=Employees,DC=megacorp,DC=com

Solution 3

Apache 2.3.6 and later supports AuthLDAPCompareAsUser, which you are probably looking for.

http://httpd.apache.org/docs/2.3/mod/mod_authnz_ldap.html#authldapcompareasuser

This branch is beta, and may not yet be easily accessible for your OS.

Share:
5,942

Related videos on Youtube

dannyman
Author by

dannyman

Unix SysAdmin, toolsmith

Updated on September 17, 2022

Comments

  • dannyman
    dannyman over 1 year

    When doing AuthType Basic authentication against an LDAP server, Apache first binds to search for the DN of the user, then binds with that DN to test the user's password. The challenge is that with AD, you typically can not perform an anonymous bind. So, you have to set AuthLDAPBindDN.

    But, I say, I already know the DN! I don't have to bind-search-bind, I can just bind as cn=_username_,OU=Employees,DC=megacorp,DC=com!

    This does not appear to be possible, but I thought I would ask: can I convince Apache to skip the bind-and-search-for-DN-to-use-for-bind by simply constructing a DN on the fly, or do I have to talk to the local bureaucracy for a special account with which I may bind to search for the user I wish to authenticate?

    Thanks!

    -danny

  • dannyman
    dannyman about 13 years
    The local bureaucracy hands out accounts for this like candy, so . . . but if someone's got a sexier solution I'm all ears. :)
  • dannyman
    dannyman almost 13 years
    In the future when I get a chance to try Apache 2.3 I hope to accept some combination of this and Fedor's answer.
  • dannyman
    dannyman almost 13 years
    In the future when I get a chance to try Apache 2.3 I hope to accept some combination of this and Eric's answer.
  • Fedor
    Fedor almost 13 years
    Actually, I've found a way to solve the problem for apache 2.2 using mod_wsgi and tiny python script that check username and password in LDAP.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

LDAP authentication apache 2.2
Authenticating Apache HTTPd against multiple LDAP servers with expired accounts
SVN + SASL + ActiveDirectory: How to
Java ldap authentication issue
ldapsearch - Strong(er) authentication required - Transport encryption required
LDAP Auth with checking the group user belongs to?
Active Directory Multi Site. Choose nearest DCs into Linux/Not-Microsoft applications
How to direct Apache Basic authentication over SSL?
Can a single user have multiple credential sets using MS Active Directory
LDAP Authentication fails with 500 or 401 depending on bind for Apache2