LDAP authentication is painful…

Home Page Forums Network Management Request a new feature LDAP authentication is painful…

This topic contains 0 replies, has 0 voices, and was last updated by  jhughes 9 years, 11 months ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #41433

    jhughes
    Member

    I *love* zeroshell. I’ve enjoyed it for at least a year now. I recently updated to the newest version and have started to use it for LDAP serving (which is new to me as well). I have had limited success, until tonight.

    I would _very_ much like to see a field where the user can configure the rootbinddn directly from the configuration screen. Because this was missing from ldap.conf, I have worked for almost 2 weeks to get OpenFiler and separately Redmine to authenticate against ZeroShell, without success. In short, this one critical change has to be made manually via ssh, or most other packages will fail to use LDAP at all. I did get them all to access the system anonymously and fetch user and group names, but would refuse to authenticate at all.

    Pretty Please? It’s a small change, but would dramatically improve user experience.

    Oh, and thanks again for the awesome distro. I love love love it.

    JH

    #47527

    christian
    Member

    I still have to play with embedded LDAP server (btw, it’s exactly OpenLDAP) but, having worked a lot on ldap servers, I noticed that ldap authentication process is quite often not well understood and therefore poorly implemented.

    I don’t understadn what you mean with your request that is to set “rootbinddn”. What I can tell you is that “correct” (obviously from my standpoint 😉 ) Ldap authentication process is to:
    – prompt user for his/her credential (login/password)
    – ANNONYMOUSLY search for entry matching login part (most of the time UID)
    – in case one (unique) entry is found, then retrieve DN and bind using this DN and password provided by user.
    No need here to search directory with any DN known in advance. No need to authenticate before being sure you found matching entry.

    The point is that LDAP clients (applications) are not very often implementing this, targetting rather “direct authentication” looking for attributes that are not available anonymously. Worst case (and btw, I saw a lot of applicaiton doing this) being to get user password from ldap and compare with password as provided by user during authentication process. This method must be prohibited 👿

    Christian

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.