> -----Original Message----- > From: Davide Bianchi [mailto:davide@xxxxxxxxxxxxxxxxxxxxxxxxxxxx] > Sent: Thursday, February 26, 2009 6:51 AM > To: users@xxxxxxxxxxxxxxxx > Subject: Re: Confused about LDAP authentication with Active Directory > > Ed Avis wrote: > > <http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html> imply that > > Apache connects to the LDAP server using a fixed username and > > password, and then merely queries the existence of an object in the > > directory that matches the username. If so how does it check the > > password supplied by the user? > > The problem is that in order to check the password, you need to 'bind' > to the AD server using the correct DN, in order to find the DN you need > to query the AD server with the username. But AD doesn't allow you to > query it without first binding. > > So you need to bind in order to query, but you need to query to bind. Is > a sort-of catch-22 situation. Hence the need for a fixed > username/password to do the first query. > > Davide While this is true for 100% compliant LDAP servers, MS has "embraced and extended" what ActiveDirectory will accept for the user's DN... by "allowing" a Windows NT style login in the place of the DN. The Windows NT style login is in this format: Domain\username Where Domain is the ActiveDirectory Domain, and the username is the ActiveDirectory samAccountName. -tony --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx