Closed (won't fix)
Project:
LDAP integration
Version:
5.x-1.x-dev
Component:
Code
Priority:
Normal
Category:
Feature request
Assigned:
Unassigned
Reporter:
Created:
7 Dec 2007 at 14:37 UTC
Updated:
6 Aug 2011 at 18:47 UTC
Thanks a lot for the great module! There are a couple of things I would like to request to make it more customizable, though.
The first would be to allow the provided username and password be used to bind to the LDAP during login. As of right now, you either have anonymous searches, or you must provide a dn in the administration interface.
The second would be the ability to optionally specify an account suffix to be appended to the username (i.e. @host.com) for binding purposes.
Thanks again for all the great work!
Comments
Comment #1
treksler commented1)
it would make ZERO sense to do the lookup with the username and password from the login form.
As i understand it, you bind anonymously (or with a known DN and password) to find out whether the user from the login form EXISTS!
i.e.
so you can tell the difference between a "wrong password" and the "user not existing" in LDAP.
If you do the lookup with the username and password from the login form, and the password is wrong, you still don't know if the user exists or not!!
my problem is that i don't care if the user exists ... if it fails, it fails
so, i want to skip the whole dn lookup, because i KNOW that there is guaranteed to be only one user in our LDAP per loginid and the DN is known to be "uid=,ou=it,o=example.com"
so i want to skip the lookup and go straight to the bind for authentication
is this what you also want?
Comment #2
treksler commentedor perhaps it would be nice to choose an alternate server to do the lookup on
we have several LDAP servers
1) allows anonymous lookups - the DN is found there by looking up the owner property of the given uid
2) does not allow anonymous lookups and would be used to bind only - i.e. authenticate
anyone else see value in features like this??
a) either skip lookup and specify a pattern for the DN if it is known
b) perform lookup an a second server
Comment #3
LArjona commentedI also am interested about the 1st request of #okamosy or the 1/a) request of #irstudio
Maybe is nonsense for others, but my LDAP server (which I cannot change because I am not admin) does not allow anonymous connections and is only for authentication, so one can only retrieve the data belonging to the user that makes the bind/connection, not others.
I don't know If I explained well, I will give an example.
Let's say I have two different users, User1 with password PW1 and User1 with password PW2.
If I put User1/PW1 for non-anonymous searches in Ldap_auth configuration, advanced settings, I can login with user1, but I cannot login with user2 (my ldap server realizes that I am connecting with user1 credentials and later I try to find information about user2, not about user1, so it refuses the 2nd connection).
If I change LDAP_auth configuration, advanced settings and put User2/PW2 for "non anonymous searches", I can login as user2 but not as user1.
I thought I could change the function connect($dn = '', $pass = ''); check first if $dn=='', then change $dn and $pass in order to get the username and password that the user typed, but I don't know if it is the best approach to do this (because of cleaning user typed data etc). Also I am not sure which are the username and password variables to use.
Any help would be very appreciated.
Comment #4
johnbarclay commentedClosing 5.x issues to clean out issue queue.