LDAP Bind during Login



  • Hello! Just a quick question/feature request. I got the LDAP plugin working just fine and was wondering if it would be possible to replace the statically set LDAP bind user with the user who is attempting to login? I currently have an LDAP Bind user called bind.user in my domain. It is just the user who is used to read LDAP and it does not have permission to do much else on the domain, nor log into the FOG webpage. It is possible to replace that with the domain user who is currently logging into the FOG webpage? Thanks!



  • @Daniel-Miller said in LDAP Bind during Login:

    Now, if you happen to know what the DN suffix will be, an alternative to the search and bind method would be a direct bind where the required static information is added to the username to create the DN that is proffered to LDAP for the bind request.

    Right, this is something like I was thinking about, especially on a domain-joined machine. I suppose I didn’t phrase it properly or concisely - that’s my bad.

    No particular reason for this functionality; just didn’t know if it would be something worth adding in or how difficult it would be to code into the plugin. No worries!

    Thanks for the quick reply!



  • To what end? The bind user is there to allow an authenticated search for the authenticating user’s DN so that an authentication check can occur for that user. The purpose of this technique is to permit the binding of users from arbitrary OUs and this user is often intentionally only given sufficient privilege so that they can do that search (principle of least privilege). In general, it would be considered a security risk to have the search functionality fall to an actual user’s account, and depending on how the LDAP domain was configured, doing so may break the login function as there is not a general requirement for user accounts to be able to search on an LDAP domain.

    Now, if you happen to know what the DN suffix will be, an alternative to the search and bind method would be a direct bind where the required static information is added to the username to create the DN that is proffered to LDAP for the bind request. This authentication method would require changes to the LDAP plugin as it exists in 1.5.7 as I do not believe it is currently coded to support it. There has been a bit of work done to the LDAP plugin in dev-branch, but I’m not sure if they have looked at adding other binding methods.


Log in to reply
 

284
Online

7.2k
Users

14.4k
Topics

135.6k
Posts