cherokee / webserver

Cherokee Web Server
GNU General Public License v2.0
568 stars 105 forks source link

bind to LDAP with authenticated user from Basic Auth #694

Open danielniccoli opened 11 years ago

danielniccoli commented 11 years ago

Original author: stephane...@gmail.com (June 19, 2010 13:03:50)

What steps will reproduce the problem?

  1. cherokee would not start with an anonymous bind 1.0.2
  2. am I really forced to specify a bind DN and password ?
  3. Apache would bind to ldap with the credentials passed from the authentication box

What is the expected output? What do you see instead? Apache mod_auth_ldap authentication allows to use user credentials binding and group ownership checking. I would like to be able to configure an equivalent of this in Cherokee: AuthBasicProvider ldap AuthType Basic AuthLDAPGroupAttribute uniqueMember AuthLDAPGroupAttributeIsDN on AuthLDAPURL "ldap://127.0.0.1/dc=mydomain,dc=net" require ldap-group cn=groupname,ou=Roles,dc=mydomain,dc=net

What version of the product are you using? On what operating system? 1.0.2 on Gentoo Linux

Please provide any additional information below.

Original issue: http://code.google.com/p/cherokee/issues/detail?id=913

danielniccoli commented 11 years ago

From da...@davidjb.com on April 07, 2011 05:55:32 Attempting to bind anonymously with Cherokee 1.2.2 (Ubuntu 10.10, PPA) produces this error for me:

07/04/2011 15:50:45.501 validator_ldap.c:145 - Security problem found in LDAP validation config | LDAP validator: Potential security problem found: anonymous bind validation. Check (RFC 2251, section 4.2.2)

It might be 'potential' issue, but it's how I'm to interact with the LDAP system I'm to use. Can this be made a warning only or so forth?

danielniccoli commented 11 years ago

From stephane...@gmail.com on September 17, 2011 16:19:00 It seems the anonymous bind is still a critical error on cherokee 1.2.99. Any plans to make this either a warning only or to fully support anonymous binds in the way apache does?

The auth will not be anonymous in the end since it's the user credentials that will be used to authenticate to the LDAP server. No cleartext passwords passed over.