[rt-users] LDAP authentication

George Warnagiris gwarnagiris at babcockbrown.com
Tue Apr 30 11:12:44 EDT 2002


I think this is starting to drift outside the scope of rt-users.  Being that
each implementation of LDAP is vendor specific, a discussion about Novell's
implementation choices only applies to a small percentage of RT sites.  I
see Novel maintains a lot of doco:
http://www.novell.com/documentation/lg/authserv/index.html .  Besides, isn't
the advantage of paying for a product such as NDS-AS that you get
professional support?

Just my opinion...

George

-----Original Message-----
From:	Harald Wagener [mailto:hwagener at hamburg.fcb.com]
Sent:	Tuesday, April 30, 2002 10:41 AM
To:	rt-users at lists.fsck.com
Subject:	Re: [rt-users] LDAP authentication

Yan Fitterer wrote:
> 
> Well - thanks, but I think by original question was not quite reflecting
what I
> meant. I understand (hav have read previous posts) the principles about
using
> Net::LDAP, or the various mod_ldap modules for Apache. What I didn't
> understand was the low-level mechanics about how to authenticate a user
against
> the LDAP server.

[snip]

> I think I've got now partial answers - let me know if this is correct:
> - The attributes one uses depend on the implementation / setup of each
LDAP
> server. The common attribues are uid or cn for the username, and
userPassword
> for the password. (I'm using Novell's NDS) My problem there was that my
version
> of Novell / LDAP doesn't have any password-type field... :-(

The important one is the uid, which has to exist for each entry and has to
be 
unique ove the set of all entries in a container hierarchy (hence it is the
*u*nique *id*entifier).

We have the same setup (nds below ldap)here in our company. the easiest way
is
trying to bind against the ldap directory using a username/password
combination. If that works, the password has to be correct. If not, the
password was incorrect. So You don't need to show the  password via the ldap
directory - it's automatically tested against the password hidden in the nds
layer.

> - There is no LDAP - defined "authenticate object" type function, you
closest to it
> would be a compare.

The closest is the bind. Please regard that this data is sent in cleartext,
so
unless You setup an SSL encrypted stream, be sure to only do this in an
isolated network.

Regards,
	Harald
-- 
Harald Wagener*An der Alster 42*20099 Hamburg*http://www.fcb-wilkens.com

_______________________________________________
rt-users mailing list
rt-users at lists.fsck.com
http://lists.fsck.com/mailman/listinfo/rt-users

Have you read the FAQ? The RT FAQ Manager lives at http://fsck.com/rtfm



This email message may contain information that is confidential and
proprietary to Babcock & Brown or a third party.  If you are not the
intended recipient, please contact the sender and destroy the original and
any copies of the original message.  Babcock & Brown takes measures to
protect the content of its communications.  However, Babcock & Brown cannot
guarantee that email messages will not be intercepted by third parties or
that email messages will be free of errors or viruses.




More information about the rt-users mailing list