search

PanuwatJantarapornTipauksorn / mollify

Automatically exported from code.google.com/p/mollify
0 stars 0 forks source link

Anonymous LDAP binding to an LDAP server #566

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1.
2.
3.

What is the expected output? What do you see instead?

What version of the product are you using? On what operating system?

Please provide any additional information below.

Original issue reported on code.google.com by bia...@gmail.com on 2 Sep 2014 at 9:05

GoogleCodeExporter commented 9 years ago 
[deleted comment]
GoogleCodeExporter commented 9 years ago

Original comment by bia...@gmail.com on 2 Sep 2014 at 9:07

Attachments:

GoogleCodeExporter commented 9 years ago 
Oops, I can't edit the issue description :(.

Please take a look at the attached picture. Most applications which use LDAP as 
an authentication mechanism need the settings to work:

1. LDAP server (ldap_server in mollify)
2. Base DN - the place in the directory, where we can find user accounts 
(ldap_conn_string in mollify)
3. Bind DN - account used to binding to the LDAP server and browsing the 
directory

There is no possibility to set Bind DN in mollify. Is this mean that only 
anonymous binds are allowed?

Original comment by bia...@gmail.com on 2 Sep 2014 at 9:10

GoogleCodeExporter commented 9 years ago 
The problem probably is that I just don't have enough understanding for the 
LDAP, haven't actually used it myself as I don't have a server of my own. Many 
times I've received request to improve the LDAP, and I have asked for concrete 
example how, but none has given me such.

Current behaviour is explained here: 
https://code.google.com/p/mollify/wiki/BackendSettings#LDAP_connection_string_(_
ldap_conn_string_)

So at the moment you can have username into the binding (this connection string 
goes to the PHP ldap_bind method: 
http://php.net/manual/en/function.ldap-bind.php)

Can you explain how exactly should I improve this? In Mollify there is only 
username (and password, of course) that could be useful for ldap binding, and 
this is already possible with the examples shown.

Original comment by samuli.j...@gmail.com on 4 Sep 2014 at 11:08

GoogleCodeExporter commented 9 years ago 
Any thoughts? I'll close this if there are no suggestions

Original comment by samuli.j...@gmail.com on 29 Dec 2014 at 9:09

GoogleCodeExporter commented 9 years ago 
I will give you the feedback tomorrow. Today, I'm still on my holiday.

Original comment by bia...@gmail.com on 29 Dec 2014 at 10:42

GoogleCodeExporter commented 9 years ago 
Sure, no rush. I didn't mean I'm closing it this second, this has just been 
open for more than 4 months, so it seemed like there is no progress.

Original comment by samuli.j...@gmail.com on 29 Dec 2014 at 10:52

GoogleCodeExporter commented 9 years ago 
I've forgotten about this case, that's why there was no progress ;).

Original comment by bia...@gmail.com on 29 Dec 2014 at 11:03

GoogleCodeExporter commented 9 years ago 
Do you take code submissions?  If so, in what format?  I have coded up 
something that should help.

There are changes to Settings.class.php and AuthenticatorLDAP.class.php.  In 
order to keep compatibility with existing configs the 'search' string triggers 
the new functionality.  This can obviously change as needed.

It also allows enabling starttls.  

There are 5 new settings:
    ldap_use_starttls       - attempt to use StartTLS on non-ldaps connections (forces LDAP v3)
    ldap_search              - the search query to use.  All instances of '[USER]' replaced with user name.
                                      this is also the value that triggers the 'search' binding if set
    ldap_base_dn            - Base DN for searches
    ldap_bind_dn            - Bind DN of search user
    ldap_bind_pw            - Password for search user

Original comment by snaggle...@gmail.com on 3 Jan 2015 at 11:31

GoogleCodeExporter commented 9 years ago 
Great! I can take modifications in any way you like, you could for example just 
send the authenticator class as is, and I'll merge it.

Original comment by samuli.j...@gmail.com on 3 Jan 2015 at 12:33

GoogleCodeExporter commented 9 years ago 
Sounds great :)!

Original comment by bia...@gmail.com on 3 Jan 2015 at 1:01

GoogleCodeExporter commented 9 years ago 
Oh.  OK.  Well, here's  a tgz with the original, new and .patch files for each 
of them.  Enjoy!  :-)

Original comment by snaggle...@gmail.com on 3 Jan 2015 at 5:37

Attachments:

GoogleCodeExporter commented 9 years ago 
Thanks a lot! I've committed it in the repo, and will be in next release.

Original comment by samuli.j...@gmail.com on 4 Jan 2015 at 9:19

GoogleCodeExporter commented 9 years ago 
Included in the .21 release. Thanks again!

Original comment by samuli.j...@gmail.com on 6 Jan 2015 at 11:16