milux / ctldap

LDAP Wrapper for ChurchTools
GNU General Public License v3.0
12 stars 8 forks source link

Support full LDAP Protocol for Apache Ldap Mod #19

Closed canchanchara closed 4 years ago

canchanchara commented 5 years ago

I would like to use the Apache LDAP Module. https://httpd.apache.org/docs/2.4/mod/mod_authnz_ldap.html

Currently it does not work. I think one reason is the missing support for a full ldaps URL with parameters. Also maybe wrong implementation of finding groups of users.

Following configuration should work, if the adapter would support full ldap protocol:

<Directory /var/www/html/auth-ldap>
AuthName "LDAP Authentication"
AuthType Basic
AuthBasicProvider ldap
AuthLDAPBindDN cn=root,ou=users,o=<churchtoolsaccount>
AuthLDAPBindPassword SECRET
AuthLDAPURL ldaps://ldap.church.tools/o=<churchtoolsaccount>?uid?sub
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=<groupname>,ou=groups,o=<churchtoolsaccount>
</Directory>

groupname = Group name in Church Tools for you created group churchtoolsaccount = Church Tools Accountname.

milux commented 4 years ago

No clue why this is not working, sorry. You're right, we're not supporting "the full LDAP protocol" (i.e. Active Directory like?), but this is partly due to the many limitations of the LDAP server library in use, and certain things are simply not possible technically, for instance because we cannot fetch user passwords hashed with NTHASH. (And believe me, this is a good thing!)

So if somebody comes up with technical details about what to do, I might look into it. Otherwise, this is not going to be handled. Closing this until somebody provides useful information.