Hi there,
I've made a simple modification to the LDAP auth code to
make it behave
more like other ldap auth implementations.
There are some limitations caused the current implementation
in that a
dn must be assembled by plugging in the username.
For example, uid=%s,dc=company,dc=com becomes
uid=barberd,dc=company,dc=com
LDAP Auth should instead by done with a two-step process:
first connect
to ldap and search for the user's object using a base dn and
a search
filter. Then take that result and attempt to bind as that
object with
the supplied password.
For example:
Search 'dc=company,dc=com" for
"(&(objectClass=person)(uid=%s))"
will return the dn of 'uid=barberd,dc=company,dc=com".
Then take this
dn and try to log in with the supplied password.
This gives several advantages:
1) The uid does not have to be in the dn
There can be an ldap object such as "cn=Don Barber,
dc=company, dc=com"
with an attribute of 'uid: barberdg'.
2) The user accounts no longer have to be children of the
same node.
For example, one can have two users:
uid=user1, ou=Human Resources, ou=People, dc=company,
dc=com
and
uid=user2, ou=Admins, ou=Information Technology, ou=People,
dc=company,
dc=com
With a search base of 'ou=People, dc=company, dc=iip' the
auth module
will still find the correct dn with a search for 'uid=user1'
or
'uid=user2', no matter how the company decides to structure
its user
accounts.
The modifications were pretty minor really.
For configuration changes, it gets rid of LDAP_USER_TEMPLATE
and renames
LDAP_USER_FILTER to LDAP_USER_SEARCH.
I've attached the new file to this email. Thanks for
considering it.
Don
------------------------------------------------------------
-------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
swamp-devel mailing list
swamp-devel lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/swamp-devel
http://swamp.sf.net
|
