开发者

LDAP Active directory authentication question

I am trying to authenticate users on my site with their LDAP credentials. However the bind to the active directory seems to require my credentials first before I can authenticate any other username/passwords.

I don't want to hardc开发者_如何学Code my credentials in the application. Any suggestions?

$self->authen->config( 
DRIVER => [ 'Authen::Simple::LDAP',
host   => 'ldapad.company.com',
basedn => 'OU=XXX,OU=AD,DC=YYY,DC=ZZZ', 
binddn => 'CN=myname,OU=Users,OU=company,OU=AD,DC=company,DC=ZZZ',
bindpw => 'secret',
filter => '(cn=%s)',   

],

CREDENTIALS          => [ 'authen_username', 'authen_password' ],
STORE                => 'Session',
LOGOUT_RUNMODE       => 'logout',
LOGIN_RUNMODE        => 'login',
POST_LOGIN_RUNMODE   => 'okay',
RENDER_LOGIN         => \&my_login_form,

);


This is a standard FAQ item for LDAP to A/D.

You must create a special user for the purpose of binding to A/D, and hardcode the credentials in your client. AFAIK there's no way around this requirement, though if there's newer information available (I solved this a few years ago) I'd love to know.


You could store the credentials in a separate file that you read programmatically with strict permissions on it, so at least you don't have to embed the credentials right in the source.


You should create a user in active directory (say 'aduser') which can have a trivial password. You can then simply give that user no rights to do or access anything. AD allows any user (even one with no access rights) to bind to the directory, but they must have an account on the domain.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜