[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap auth from external application

On Wednesday 24 June 2009 19:59:07 Zdenek Styblik wrote:
> Hi,
> I'd like to ask why is auth from external applications like eg. ftp
> server done via proxy user, and not straight with user provided
> credentials.

I am assuming you are asking why a proxy user is required. Typically, the 
proxy user is *not* used to "authenticate" the user, but to identify the DN to 
bind as. Once the DN has been identified, the password supplied is used to bind 
as the DN that the application determined is correct for the username that was 

Of course, this is in the case of a simple bind.

The other alternatives are:
-Use a SASL mechanism, and ensure that the LDAP server maps a SASL username to 
the correct DN
-Do DN construction (which has significant disadvantages)

> Could somebody, please, clarify this for me? I'm sure there are really
> good reasons no to so (straight auth), still I've "found" pros in not
> having additional user which is capable to read others (even hashed)
> passwords, and probably no need to be password hash dependent as whole
> auth would be LDAPs domain.

This sounds like your application is broken, and is comparing passwords on the 
client side. Most applications like this can be configured to do a BIND to 
validate the password instead, and this gives you a lot more flexibility (e.g., 
use new password hashes supported by the LDAP server, but not necessarily by 
all applications).

In a decent setup, no DN should need to read passwords to do authentication.

Maybe you need to provide details of your application and it's configuration.