LDAP bind against Active Directory (no DN searching)

NdAd · 02-26-2015, 01:59 AM

Hi Guys

I would like to get my Linux box authenticate users via Active directory and allow access to group of users. Currently, it is working great but... not as I wanted. See my httpd.conf below:

Code:

<Directory "/var/www/cgi-bin">
    Order allow,deny
    Allow from all
    AuthzLDAPAuthoritative off
    AuthType Basic
    AuthName "USE YOUR WINDOWS ACCOUNT"
    AuthBasicProvider ldap
 AuthLDAPBindDN "user2bind@example.com"
 AuthLDAPBindPassword "pass"
    AuthLDAPURL "ldap://LinuxIP:3268/?sAMAccountName?sub?(objectClass=*)"
    # member of group
    Require ldap-group CN=dev_team,OU=Groups,OU=state,OU=Organization,DC=example,DC=com
    AuthUserFile /dev/null
    Require valid-user
</Directory>

I just would like to user authenticate against AD w/o using specific binding account in order to do ldap query for user existence.

I mean basically that when user gets credential dialog, the server will attempt to bind with his provided DN format and not the permanent one I'm using at the moment (under "AuthLDAPBindDN" / "AuthLDAPBindPassword" )

btw, I'm on Apache server 2.2.

Thanks !

sundialsvcs · 02-26-2015, 10:37 AM

As far as I am aware, you must use some kind of binding-account in order to do anything-at-all with LDAP. I suspect that this is mostly so that assholes third-parties can't pummel the server with requests and/or find out things that they properly don't need to know. It's actually okay for the server to be politely asking, "who wants to know?" before divulging its secrets . . .

NdAd · 02-26-2015, 12:27 PM

Quote:

Originally Posted by sundialsvcs

As far as I am aware, you must use some kind of binding-account in order to do anything-at-all with LDAP. I suspect that this is mostly so that assholes third-parties can't pummel the server with requests and/or find out things that they properly don't need to know. It's actually okay for the server to be politely asking, "who wants to know?" before divulging its secrets . . .

First, thanks for your reply.

I understand what you mean but the thing is I have other box with Cacti software for monitoring and there I specifically check "no searching mode" and put DN format to bind with and that's it. Didn't specify any binding account at all and it's working like a charm! How do you think is that ? As I see this, when server wants to communicate with AD (for checking account existence) it will just use the account being entered by the user for authentication only. So I believe there's a way to do so, just I'm not sure how.