For some strange reason, our Active Directory is set up to not allow anonymous LDAP searches, but ALL users are allowed to search. For our internal applications we use the user that is attempting to log in as the "binding" user instead of having a "non-expiring" user that causes us audit findings.

Could there be an addition to the "Advanced configuration" section that allows for a domain and the user / password being entered as the DN for the non-anonymous search? Maybe something along the lines of....

DN for non-anonymous search:
domain/!USER!

and a flag for:
Use entered password?

Then When Joe attempts to log in using the password abc123.... The DN for non-anonymous search would be: "domain/joe" and the password would be "abc123".

Comments

LArjona’s picture

Version: 6.x-1.x-dev » 5.x-1.3

I asked about a similar thing at http://drupal.org/node/198766 but still no luck.
Any help?

Pasi’s picture

Version: 5.x-1.3 » 6.x-1.x-dev

I have the same problem with the latest 6.x devs

miglius’s picture

Status: Active » Closed (works as designed)

The system does not know user's DN beforehand so it tries to build one. It takes a username from the drupal login and cycles through all configured Base DNs to search a valid user DN. The first found DN wins. The user search is performed using admin DN or anonymously (if admin DN is not configured).

The search is made to find a user's DN. You're asking to bind with a user's DN to search for that DN, which is impossible.

graftonkennedy’s picture

I've searched a lot for this and found:

A discussion on Apache LDAP authentication and non anonymous binding:
http://www.gossamer-threads.com/lists/apache/users/346901

and the Apache2::AuthenMSAD module. Source is available.
http://cpan.uwinnipeg.ca/htdocs/Apache2-AuthenMSAD/Apache2/AuthenMSAD.pm...