Sorry for my ignorance but I'm looking for an explanation. I have LDAP authentication working in my Drupal environment. We're using AD so I had to use the non-anonymous search DN to get logins to work however. I understand that the DN is needed because anonymous queries aren't allowed in this instance.

But, my question is what is the reason of needing to search LDAP before being able to bind? My thinking is that if I have the BaseDN , a user name & password that should be enough to bind directly to LDAP from the Drupal login form. If I log direclty into LDAP (via another client) I don't need to have a seperate account that binds before I'm able to bind. Does that make sense? I'm sure there's reasoning but I don't know.

Comments

retsamedoc’s picture

retsamedoc commented

LDAP logins include a bind because you cannot just login with a username. LDAP logins, or binds, use the full distinguished name (DN) of the user to authenticate. Since we do not know the user's DN based purely upon thier username, we must first perform an anonymous bind to search for the DN using this given username.

In your situation, the anonymous bind is actually an authenticated bind but we still cannot get to password data due to attribute security is handled: most role accounts have no access to the password attribute and users (should) always have access to their own password field.

lambic’s picture

lambic commented

Depending on your setup, using the username and password given by the user may work, it does for us. I offered a patch to allow that here: http://drupal.org/node/538818

cgmonroe’s picture

cgmonroe commented
Status: Active » Closed (fixed)

Clearing out old support requests - reopen if problem still exists in newest code