RSS feed

Re: Is a search result necessary for a successful bind?

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: Is a search result necessary for a successful bind?

On Fri, 2015-08-28 at 12:47 -0700, Ken Yamaguchi wrote:
> I'm setting up authentication to an LDAP server that appears to 
> disallow user results retrieval even for the own object. The attached 
> patch (opt1) allows authentication to proceed. Is the check for an 
> LDAP result necessary if myldap_search() reports success? If not, 
> perhaps the myldap_get_entry() call is also not needed (opt2, which 
> also works with my environment)?

Thanks for your patch. It is a bit ugly to start a search and ignore
the results but perhaps it is a start.

The original reason that a search was done after a bind was that it was
easier to implement with the code that was in place. Specifically the
retry and fail-over mechanism is implemented in myldap_search() and
even some parts in myldap_get_entry(). This needs to be maintained for
the authentication check.

Also, some LDAP servers only seem to handle some bind failures not as
errors but fall back to anonymous bind so an extra search is a bit of a
security precaution.

There have been some ideas to make the search that would be done
configurable or optional (perhaps a pam_authc_search option) but this
is a bit tricky with the way the code is currently structured.

-- arthur - - --
To unsubscribe send an email to or see