[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap auth from external application

To: Buchan Milne <bgmilne@staff.telkomsa.net>
Subject: Re: ldap auth from external application
From: Zdenek Styblik <stybla@turnovfree.net>
Date: Fri, 26 Jun 2009 10:51:09 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <200906260906.24294.bgmilne@staff.telkomsa.net>
Openpgp: url=http://stinkfoot.org:11371/pks/lookup?op=index&search=Styblik
Organization: OS TurnovFree.net
References: <4A42696B.2030202@turnovfree.net> <200906251835.20750.bgmilne@staff.telkomsa.net> <4A43C652.20708@turnovfree.net> <200906260906.24294.bgmilne@staff.telkomsa.net>
User-agent: Thunderbird 2.0.0.21 (X11/20090302)

Buchan Milne wrote:
> On Thursday 25 June 2009 20:47:46 Zdenek Styblik wrote:
> 
> After reading the README.LDAP, I didn't see any description of how 
> authentication is done, so I looked, and in src/log_ldap.c, we have this:
> 

Neither did I, but I just assumed/guessed. I didn't have time to look at
the source (yet).

> void pw_ldap_check(AuthResult * const result,...
> 
> IOW, pure-ftpd is retrieving the password hash from LDAP, hashing the password 
> from the user with the same hash (we hope), and comparing the resulting 
> character arrays.

That's what I've expected.

> 
> It would have been much easier to bind as the user's DN, and look at the 
> result code ...
>

Agreed. And I'm very glad to hear that. Thanks for confirmation.
I almost know I'm going to be too lazy to implement, but- the proper way
is to implement search for dn, right? User with almost no rights, just
to search for dn by some parameter (cn/uid/whatever), fetch dn, try to
authenticate against fetched dn by user provided password, check error
code -> revoke/auth.

>> This user has access to 'userPassword'.
>> Documentation says:
>> "- LDAPBindDN is the DN we should bind the server for simple
>> authentication. If you don't need authentication (ie. anonymous users can
>> browse that part of the LDAP directory), just remove that line."
>>
>> But we need to bind to the LDAP, or we won't be allowed to read anything
>> at all.
>>
>> Anyway. I've tried to delete 'LDAPBindDN' and here goes result:
>> slapd[14940]: conn=1490 op=1 BIND dn="" method=128
>> ....
>> slapd[14940]: conn=1513 op=2 SEARCH RESULT tag=101 err=50 nentries=0 text=
>>
>> ...and it doesn't work. err=50 is insufficient access, but - isn't an
>> empty dn equivalent for anonymous?
> 
> 
> I would:
> 1)File a bug on pure-ftpd, that it should offer an option (my preference would 
> be that this should be the default) to bind as the user to validate the 
> password.

That might be just matter of opinions (security [flame], here we go).
But I do agree with you.

> 2)Switch to a different FTP server (e.g. proftpd) until this is fixed in pure-
> ftpd.

I see what can be done. Pure-ftpd is somewhat missing groups support and
we need this feature at our site. There is some patch for it, but I'd
like to have internal support for this, rather than some external
script/mechanism. But that's a different story. Thank you for suggestion
- point taken.

> 
> 
> Regards,
> Buchan

Thanks for clarification and confirmation on this topic.

Have a nice day,
Zdenek

-- 
Zdenek Styblik
Net/Linux admin
OS TurnovFree.net
email: stybla@turnovfree.net
jabber: stybla@jabber.turnovfree.net

References:
- ldap auth from external application
  - From: Zdenek Styblik <stybla@turnovfree.net>
- Re: ldap auth from external application
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>
- Re: ldap auth from external application
  - From: Zdenek Styblik <stybla@turnovfree.net>
- Re: ldap auth from external application
  - From: Buchan Milne <bgmilne@staff.telkomsa.net>

Prev by Date: openldap search configuration
Next by Date: Re: Case Ignore Ordering matching rule for IA5 String sysntax ?
Index(es):
- Chronological
- Thread