[Date Prev][Date Next]
Re: LDAP Authentication method(s)
Curt Blank wrote:
Using a privileged admin type DN that is allowed auth access to the
userPassword attribute along with an ACL filter statement seems like the
way to go. But implementing this technique appears easier said then done.
The original thought was to bind as the privileged admin DN and then do
a, for lack of a better term, sub-bind as the users DN in hopes that the
original bind as the privileged admin DN would then allow this
restricted authentication to succeed. Well, we have not been able to
accomplish this for probably one of two reasons. We're either doing
something wrong, or it's just not possible.
It's not possible.
Excerpt from RFC 4511, section 4.2.1:
Clients may send multiple Bind requests to change the authentication
and/or security associations or to complete a multi-stage Bind
process. Authentication from earlier binds is subsequently ignored.
Probably I did not fully understand your use-case but using the Proxy
Authorization Control might be a solution for your particular problem too.