2008/2/14 Eric Covener <covener@xxxxxxxxx>:> On Thu, Feb 14, 2008 at 9:13 AM, Radosław Antoniuk> <radek.antoniuk@xxxxxxxxx> wrote:>> > So, Is it possible? The question is, is there a way of using the> > actual login/password credentials for the binding phase and if bind> > succeeds ==> authentication true and go to authorization phase?>> The problem you're hitting is that before Apache can use the> username/password provided, it needs to translate the "web" username> into an LDAP distinguished name by querying LDAP -- this is what the> BindDN/Password are for.>> Maybe your MSAD folks can setup a limited access user that can perform> this specific query? There is a little know feature of AD that allows one to bind to thedirectory using <username>@<domain>. That way if you know the usernameand the domain (which is often the same for everyone) you can do anauthenticate against an AD without having to bind first to find thedn. There is no native Apache modules that I am aware of that allows thisthough, however this would be extremely usufull. The Perl module AuthenMSAD howewer does exactly this, works very well,but you need mod_perl for it. I use it on my site, together withanother perl authentication module that does caching, so that notevery request results in a bind to the AD server. Krist -- krist.vanbesien@xxxxxxxxxxxxxx@vanbesien.orgBremgarten b. Bern, Switzerland--A: It reverses the normal flow of conversation.Q: What's wrong with top-posting?A: Top-posting.Q: What's the biggest scourge on plain text email discussions?
|