• Recent
    • Unsolved
    • Tags
    • Popular
    • Users
    • Groups
    • Search
    • Register
    • Login

    LDAP Bind during Login

    Scheduled Pinned Locked Moved
    Feature Request
    2
    3
    235
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      ty900000
      last edited by

      Hello! Just a quick question/feature request. I got the LDAP plugin working just fine and was wondering if it would be possible to replace the statically set LDAP bind user with the user who is attempting to login? I currently have an LDAP Bind user called bind.user in my domain. It is just the user who is used to read LDAP and it does not have permission to do much else on the domain, nor log into the FOG webpage. It is possible to replace that with the domain user who is currently logging into the FOG webpage? Thanks!

      1 Reply Last reply Reply Quote 0
      • D
        Daniel Miller
        last edited by

        To what end? The bind user is there to allow an authenticated search for the authenticating user’s DN so that an authentication check can occur for that user. The purpose of this technique is to permit the binding of users from arbitrary OUs and this user is often intentionally only given sufficient privilege so that they can do that search (principle of least privilege). In general, it would be considered a security risk to have the search functionality fall to an actual user’s account, and depending on how the LDAP domain was configured, doing so may break the login function as there is not a general requirement for user accounts to be able to search on an LDAP domain.

        Now, if you happen to know what the DN suffix will be, an alternative to the search and bind method would be a direct bind where the required static information is added to the username to create the DN that is proffered to LDAP for the bind request. This authentication method would require changes to the LDAP plugin as it exists in 1.5.7 as I do not believe it is currently coded to support it. There has been a bit of work done to the LDAP plugin in dev-branch, but I’m not sure if they have looked at adding other binding methods.

        T 1 Reply Last reply Reply Quote 0
        • T
          ty900000 @Daniel Miller
          last edited by

          @Daniel-Miller said in LDAP Bind during Login:

          Now, if you happen to know what the DN suffix will be, an alternative to the search and bind method would be a direct bind where the required static information is added to the username to create the DN that is proffered to LDAP for the bind request.

          Right, this is something like I was thinking about, especially on a domain-joined machine. I suppose I didn’t phrase it properly or concisely - that’s my bad.

          No particular reason for this functionality; just didn’t know if it would be something worth adding in or how difficult it would be to code into the plugin. No worries!

          Thanks for the quick reply!

          1 Reply Last reply Reply Quote 0
          • 1 / 1
          • First post
            Last post

          252

          Online

          11.7k

          Users

          17.1k

          Topics

          154.7k

          Posts
          Copyright © 2012-2024 FOG Project