auth_ldap

Michael nginx at thismetalsky.org
Wed Aug 20 17:47:12 MSD 2008


On Wed, Aug 20, 2008 at 14:49:41, Markus Teichmann said...

> > Wouldn't it be better to do the bind as the user authenticating?  There's no
> > need to do the extra step of performing an administrator bind, then look up
> > the user in an additional operation.
> 
> The look up is needed if the user authenticates not with it's dn.
> Sometimes the uid is used for authenticating. Therefore the lookup is
> needed.

Ah yes, that's a good point, I tend to use unix usernames as the dn myself.
I'm doing this (on apache) this way now.

You should also consider adding a filter, like apache does this, eg:

Require ldap-filter |(employeeType=Staff)(employeeType=Freelance)

> The additionl bind should solve some active directory issues. At least
> that's how I understands Kon's mail...
 
Sure, if it solves problems like that, I'm all for it.  I was just thinking in
terms of efficency, and from a unix/OpenLDAP perspective.  I've no AD
experience.

-- 
Michael Stella  |  IT Systems Architect
PGP: 1024D/BC3FF6D4 2BC2 A79B 88D1 218A B32B  ED7A 2EC2 1206 BC3F F6D4
"Ignorance killed the cat, sir. Curiosity was framed." ---C.J. Cherryh





More information about the nginx mailing list