anonymous bind + user bind + password hash

[rmfrankch]

Our openLdap server always requires binding with an account. It will fail with an anonymous bind. Thus, we have a technical user and password with which we bind and execute searches.

Our LDAP will not ever release a password (even as hash), thus I cannot use that field to verify the user's password. Instead, I have to bind to LDAP using the user's password ,

So, in order to verify a user's password, I need to: connect start TLS bind with the technical user fetch the user's record (we have special attributes with which we can search for either the shortname (uid) or the email address) then use the cn of that record to rebind using the user's password.

If the last step succeeds, I have the correct password, otherwise not.

LDAP modules of other applications (i.e. RT4) offer this option, this one doesn't. Could this be implemented? Implementing startTLS is easy, it only requires calling the ldap_start_tls function and checking for a true or false. (Of course there's more to it, but not on the programming side.) We'd need some configuration flag to use or not use TLS, though.

[whikloj]

I have (seemingly) the exact same use case. LDAP does not return a password (hashed or otherwise), instead for other uses we bind with the technical user find the correct user and try to bind as them.

[whikloj]

Never mind, the module works. I had used my LDAP account associated password for the admin user so I couldn't login because it Could not synchronize the following users in LDAP:.