[rt-users] LDAP authentication

Harald Wagener hwagener at hamburg.fcb.com
Tue Apr 30 10:41:04 EDT 2002


Yan Fitterer wrote:
> 
> Well - thanks, but I think by original question was not quite reflecting what I
> meant. I understand (hav have read previous posts) the principles about using
> Net::LDAP, or the various mod_ldap modules for Apache. What I didn't
> understand was the low-level mechanics about how to authenticate a user against
> the LDAP server.

[snip]

> I think I've got now partial answers - let me know if this is correct:
> - The attributes one uses depend on the implementation / setup of each LDAP
> server. The common attribues are uid or cn for the username, and userPassword
> for the password. (I'm using Novell's NDS) My problem there was that my version
> of Novell / LDAP doesn't have any password-type field... :-(

The important one is the uid, which has to exist for each entry and has to be 
unique ove the set of all entries in a container hierarchy (hence it is the
*u*nique *id*entifier).

We have the same setup (nds below ldap)here in our company. the easiest way is
trying to bind against the ldap directory using a username/password
combination. If that works, the password has to be correct. If not, the
password was incorrect. So You don't need to show the  password via the ldap
directory - it's automatically tested against the password hidden in the nds
layer.

> - There is no LDAP - defined "authenticate object" type function, you closest to it
> would be a compare.

The closest is the bind. Please regard that this data is sent in cleartext, so
unless You setup an SSL encrypted stream, be sure to only do this in an
isolated network.

Regards,
	Harald
-- 
Harald Wagener*An der Alster 42*20099 Hamburg*http://www.fcb-wilkens.com




More information about the rt-users mailing list