On Wed, Apr 23, 2008 at 4:03 PM, Jess Holle <jessh@xxxxxxx> wrote: > > Both Apache 2 and 2.2 work with LDAPs that disallow anonymous access, > including AD, though you really need 2.2 for things to fully work as AD will > close idle LDAP connections and 2.0 can't handle its connections being > closed behind its back, whereas 2.2 can. > > You do have to specify full DN and password in the Apache config, of > course. This is my point. Why do you have to have either anonymous access or a dedicated BindDN for your apache when strictly speaking you wouldn't need them for ldap authentication. If you know how to convert a username to a DN that allows binding to the LDAP you know enough to be able to authenticate against ldap. mod_authz_ldap ought to make this possible. Maybe I should try my hand at writing a patch for the module. > If you're wed to AD and have a stupid password change policy > (Sarbannes-Oxley is inane in this regard -- this just encourages > lower-quality passwords, writing down passwords, etc -- and appears to have > been little more than corporate welfare for security/IT consulting companies > in this regard), then you might try mod_auth_sspi if you're running Apache > on Windows. I will not consider running apache on windows. I do value my sanity after all. Krist -- krist.vanbesien@xxxxxxxxx krist@xxxxxxxxxxxxx Bremgarten b. Bern, Switzerland -- A: It reverses the normal flow of conversation. Q: What's wrong with top-posting? A: Top-posting. Q: What's the biggest scourge on plain text email discussions? --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|