2

When doing AuthType Basic authentication against an LDAP server, Apache first binds to search for the DN of the user, then binds with that DN to test the user's password. The challenge is that with AD, you typically can not perform an anonymous bind. So, you have to set AuthLDAPBindDN.

But, I say, I already know the DN! I don't have to bind-search-bind, I can just bind as cn=_username_,OU=Employees,DC=megacorp,DC=com!

This does not appear to be possible, but I thought I would ask: can I convince Apache to skip the bind-and-search-for-DN-to-use-for-bind by simply constructing a DN on the fly, or do I have to talk to the local bureaucracy for a special account with which I may bind to search for the user I wish to authenticate?

Thanks!

-danny

dannyman
  • 358
  • 4
  • 15

3 Answers3

2

Actually, the options in Apache 2.3 seems to be AuthLDAPInitialBindAsUser and AuthLDAPInitialBindPattern.

The AuthLDAPCompareAsUser and AuthLDAPSearchAsUser are somewhat related, but those sound like they only take effect after the initial bind has taken place.

I haven't actually tried it (since I don't have apache 2.3 installed anywhere, at least not yet) but I think the config you need is something like this:

AuthLDAPInitialBindAsUser  on
AuthLDAPInitialBindPattern (.+) cn=$1,OU=Employees,DC=megacorp,DC=com
Eric
  • 121
  • 3
  • In the future when I get a chance to try Apache 2.3 I hope to accept some combination of this and Fedor's answer. – dannyman Aug 15 '11 at 18:19
1

Unfortunately, it seems that mod_auth_ldap insists on building and executing a search instead of just attempting the bind with a DN that you give it. It's in the majority, in my experience; most applications that hit active directory via ldap (as opposed to, say, using the native NT user APIs) would rather search-then-bind instead of just trying to bind.

On the plus side (if you can call it that), a user account with no rights of any kind should satisfy your needs as long as there's nothing hectic going on permissions-wise in your ldap tree; membership in Authenticated Users should be enough to do all your search user needs to do. It can even be stripped out of Domain Users and assigned a different primary group; that should soften up the local bureaucracy a bit.

Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • The local bureaucracy hands out accounts for this like candy, so . . . but if someone's got a sexier solution I'm all ears. :) – dannyman Mar 08 '11 at 20:54
1

Apache 2.3.6 and later supports AuthLDAPCompareAsUser, which you are probably looking for.

http://httpd.apache.org/docs/2.3/mod/mod_authnz_ldap.html#authldapcompareasuser

This branch is beta, and may not yet be easily accessible for your OS.

dannyman
  • 358
  • 4
  • 15
Fedor
  • 111
  • 3
  • In the future when I get a chance to try Apache 2.3 I hope to accept some combination of this and Eric's answer. – dannyman Aug 15 '11 at 18:19
  • Actually, I've found a way to solve the problem for apache 2.2 using mod_wsgi and tiny python script that check username and password in LDAP. – Fedor Aug 19 '11 at 21:02