On Wed, Apr 23, 2008 at 3:05 PM, Harry Holt <harryholt@xxxxxxxxx> wrote: > Well... that was my assumption. But looking at the trace, it is in fact > performing an anonymous search before attempting the bind. Maybe it's > possible to specify a fully qualified DN and avoid the search, I don't know. That is the reason why I'm using a custom perl module in stead of the standard ldap modules. Our AD servers don't alloiw anonymous binds, and our password policy requires a password change every 6 weeks... These two things together made using mod_authz_ldap impractical. And the anonymous bind and ldap search is actually not needed when using an MS AD server. A little know feature of MS AD is that you can bind using "user@domain" as username. You can just test if a bind using this user, and the password supplied by the user is successfull. That is what the perl module I use does. (The modules is Apache2::AuthenMSAD) Krist -- krist.vanbesien@xxxxxxxxx krist@xxxxxxxxxxxxx Bremgarten b. Bern, Switzerland -- A: It reverses the normal flow of conversation. Q: What's wrong with top-posting? A: Top-posting. Q: What's the biggest scourge on plain text email discussions? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|