[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Authentication method(s)

To: Curt Blank <curt@uwm.edu>
Subject: Re: LDAP Authentication method(s)
From: Michael Ströder <michael@stroeder.com>
Date: Sat, 09 Feb 2008 11:37:20 +0100
Cc: openldap-software@openldap.org
In-reply-to: <47ACD0DB.8080809@uwm.edu>
References: <47ACD0DB.8080809@uwm.edu>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.12) Gecko/20080201 SeaMonkey/1.1.8

Curt Blank wrote:

Using a privileged admin type DN that is allowed auth access to the userPassword attribute along with an ACL filter statement seems like the way to go. But implementing this technique appears easier said then done.

The original thought was to bind as the privileged admin DN and then do a, for lack of a better term, sub-bind as the users DN in hopes that the original bind as the privileged admin DN would then allow this restricted authentication to succeed. Well, we have not been able to accomplish this for probably one of two reasons. We're either doing something wrong, or it's just not possible.


It's not possible.

Excerpt from RFC 4511, section 4.2.1:

   Clients may send multiple Bind requests to change the authentication
   and/or security associations or to complete a multi-stage Bind
   process.  Authentication from earlier binds is subsequently ignored.
                                               ^^^^^^^^^^^^^^^^^^^^^^^^

Probably I did not fully understand your use-case but using the Proxy Authorization Control might be a solution for your particular problem too.

Ciao, Michael.

References:
- LDAP Authentication method(s)
  - From: Curt Blank <curt@uwm.edu>

Prev by Date: Re: how to extend a remote database with local entries ?
Next by Date: Re: help with ACLs
Index(es):
- Chronological
- Thread