Both Apache 2 and 2.2 work with LDAPs that disallow anonymous access,
including AD, though you really need 2.2 for things to fully work as AD
will close idle LDAP connections and 2.0 can't handle its connections
being closed behind its back, whereas 2.2 can.
You do have to specify full DN and password in the Apache config, of
course.
If you're wed to AD and have a stupid password change policy
(Sarbannes-Oxley is inane in this regard -- this just encourages
lower-quality passwords, writing down passwords, etc -- and appears to
have been little more than corporate welfare for security/IT consulting
companies in this regard), then you might try mod_auth_sspi if you're
running Apache on Windows.
--
Jess Holle
Krist van Besien wrote:
On Wed, Apr 23, 2008 at 3:05 PM, Harry Holt <harryholt@xxxxxxxxx> wrote:
Well... that was my assumption. But looking at the trace, it is in fact
performing an anonymous search before attempting the bind. Maybe it's
possible to specify a fully qualified DN and avoid the search, I don't know.
That is the reason why I'm using a custom perl module in stead of the
standard ldap modules. Our AD servers don't alloiw anonymous binds,
and our password policy requires a password change every 6 weeks...
These two things together made using mod_authz_ldap impractical.
And the anonymous bind and ldap search is actually not needed when
using an MS AD server. A little know feature of MS AD is that you can
bind using "user@domain" as username. You can just test if a bind
using this user, and the password supplied by the user is successfull.
That is what the perl module I use does. (The modules is
Apache2::AuthenMSAD)
Krist
|
