[Date Prev][Date Next] [Chronological] [Thread] [Top]

[Fwd: Re: about you ldap plugins]


This is the reply of the author of the mod_ldap plugins. I forward this mail here for thoses whe helped me...
Thank you John for your help and your plugin :)


-------- Original Message --------
Subject: Re: about you ldap plugins
Date: Wed, 18 Jul 2001 10:17:18 -0400
From: John Morrissey <jwm@horde.net>
To: Prune <prune@lecentre.net>

On Mon, Jul 16, 2001 at 05:17:37PM +0200, Prune wrote:
% So, my probleme is the I haven't found yet how to make proftpd bind ldap % with the user requested, and not as the manager.
% % If I define a LDAPDNInfo, (and LDAPAuthBinds on), the first bind and % retriev of user info is made a cn=manager
% The problem is I have to put the passwd on the manager in the conf.
% % A best solution (I think, maybe I'm wrong, tell me) would be to bind as % the ftp wanted user (the user you logg in ftp).
% The bind should then try to bind a dn like :
% dn= "uid=prune, ou=users, ou=lecentre.net, dc=lecentre, dc=net"
% when I do a "ncftp -u prune ftp.lecentre.net"
% and use the userPassword attribut as password for the bind.
% % But, I haven't been able to do it, so far.
% % I'll just copy my Ldap access conf, so maybe you'll be able to give me % the good LDAP directives to use, and the good ACL to set in LDAP

There are several issues with what you want to do.

1. Unless someone can make a *really* good argument for this functionality,
  I won't be supporting it. Many have tried, but I've yet to see anything
  resembling an airtight argument for doing things this way.

2. proftpd needs access to several LDAP attrs, attrs that the user may not
necessarily have access to. For instance, I'm using mod_ldap in an ISP
environment where users have no business binding to my LDAP servers. What's in their entry is none of their business, so I don't want them
binding at all, whether or not they themselves or some code is actually
doing the binding.

3. People complain about having a privileged DN's password in the
  configuration file. I don't go along with this argument; what I do is
  create a new DN for proftpd to bind as (for the LDAPDNInfo directive).
  This DN has access to all the attrs that proftpd needs for LDAP
  authentication. The permissions on the configuration file are also
  restricted for good measure.

What this boils down to is that you're not going to be able to do this the
way you want to, I'm sorry. If someone's willing to write a patch that does
this in a reasonably clean manner, I'm willing to distribute it as
contributed code, but likely not in mod_ldap itself. Try doing #3 above; I
find that it's worked well for me.

% Proftpd conf file :
% LDAPServer localhost
% LDAPAuthBinds on
% LDAPDNInfo cn=manager,dc=lecentre,dc=net password
% #LDAPPrefix "dc=lecentre,dc=net"
% # LDAPDoAuth on % "ou=users,ou=lecentre.net,dc=lecentre,dc=net"

LDAPPrefix is deprecated; you need to use LDAPDoAuth.

John Morrissey          _o            /\         ----  __o
jwm@horde.net        _-< \_          /  \       ----  <  \,
www.horde.net/    __(_)/_(_)________/    \_______(_) /_(_)__

- le Centre - a Mad Cow Tribe product

(Very uncommon, but we should please everybody anyway, even disturbed minds)