[Gllug] Authentication in apache2 against a Windows domain
Russell Howe
rhowe at siksai.co.uk
Thu Jun 30 10:28:24 UTC 2005
On Thu, Jun 30, 2005 at 10:51:30AM +0100, Joel Bernstein wrote:
> AuthLDAPBindDN \"CN=yourserviceacct,OU=yourOU,DC=ad,DC=uiuc,DC=edu\"
> AuthLDAPBindPassword yoursecretpassword
Gross and evil hack!
Also, this means you need an extra Windows CAL just for Apache!
It is better to attempt to bind to the LDAP tree using the credentials
supplied by the user. Far cleaner and more secure IMHO.
However, I'm not sure if the Apache LDAP auth modules let you do this.
I wrote a JAAS LoginModule for use with Jetty which does, though :)
http://siksai.co.uk/~rhowe/software/jaas-jldap/
massive disclaimer - I make no pretences that it is secure. I haven't
been through the code with a fine-toothed comb, and there are probably
corner cases which lead to it being exploitable.
It's basically got as far as the "phew, it works" state.
--
Russell Howe | Why be just another cog in the machine,
rhowe at siksai.co.uk | when you can be the spanner in the works?
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list