[Date Prev][Date Next]
Munging an OpenLDAP slapd server
In order to supply an authentication shim for a software package
which already supports LDAP by the following mechanism:
0) Secure userid "xxx" and password "yyy" from package's client
1) Anonymous bind to an LDAP server on specified host:port
2) Check for existance of a DN with uid=xxx and close anonymous connection.
3) If (2) failed, report not Authenticated because no such user.
4) Attempt non-Anonymous bind w/ DN and yyyy
5) Close off non-anonymous bind if succeeded.
6) Report Authenticated if bind succeeded, report not Authenticated if bind
We have no LDAP databases which include passwords. For another software
package which only supported LDAP Authentication, we implemented a version
of slapd which had bind.c mangled to spawn off a kerberos kinit check for
the uid=xxx with the selected password. That software package only required
what is listed in step (0) and then only steps (4) thru (6) above.
Hoping to use the same technology for this new software package that presumes
all the above steps. I can easily determine if the uid=xxx is valid for the
application, and can construct a character string representing a suitable DN
easily, too. The catch is I have no idea which slapd module I'd need to
munge, where I'd need to do it, and what I'd need to do to build the
appropriate structures for slapd to pass back as a succesful (or failed)
Thanks in advance...
+----"Never Underestimate the bandwidth of a station wagon full of mag tapes"--+
| J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu
| Systems Design Specialist - Lead AT&T: (814) 865-1818
| Digital Library Technologies FAX: (814) 863-3560
| 3 Paterno Library "I'd rather be dancing..."
| Penn State University A host is a host from coast to coast,
| University Park, PA 16802 And no one will talk to a host that's close
| <firstname.lastname@example.org> Unless the host that isn't close
| EMail Professional since 1978 Is busy, hung or dead.
+---------"He's dead, Jim. I'll get his tricorder. You take his wallet."-------+
[apologies to DeForest Kelley, 1920-1999]
<A Href="http://perdita.lcs.psu.edu">home page</a>
<a Href="http://perdita.lcs.psu.edu/junkdec.htm">junk mail declaration</a>
\ / ASCII RIBBON CAMPAIGN
X AGAINST HTML MAIL