Hi again,
On Fri, Nov 30, 2007 at 06:08:31PM +0000, Matthew Newton wrote:
> The problem is that I often get the error "435 Unable to
> authenticate at present" rather than "535 Incorrect authentication
> data". When this system goes live that is likely to cause support
> problems assuming the user gets to see the message.
OK, I know it's bad form to reply to your own posts... of course
having played with this for ages, then posted, I've worked it out
using the following way.
> The only thing I can think of now is to do a "lookup ldap bind as
> system" inside an "if ldapauth", inside a "lookup ldap bind as
> user", which would be even more hideous than now...
It now looks like this:
LDAP_DN=<system user dn>
LDAP_PASS=<system password dn>
LDAP_SERVER=<out ldap server>
LDAP_BASE=<search base>
LDAP_RESTRICTED_GROUP=<cn=restricted,ou=groups,... etc>
LDAPUSER=${quote:${lookup ldap \
{ user=LDAP_DN \
pass=LDAP_PASS \
referrals=nofollow \
ldaps://LDAP_SERVER:636/\
LDAP_BASE?\
distinguishedName?sub?\
sAMAccountName=${quote_ldap_dn:$auth1}\
}\
{$value}fail}}
...
server_condition = ${lookup ldap \
{ user=${if ldapauth { user=LDAPUSER \
pass=${quote:$auth2} \
referrals=nofollow \
ldaps://LDAP_SERVER:636/\
LDAP_BASE\
}\
{LDAPUSER}fail} \
pass=${quote:$auth2} \
referrals=nofollow \
ldaps://LDAP_SERVER:636/\
LDAP_BASE?\
sAMAccountName?sub?\
(&(sAMAccountName=${quote_ldap_dn:$auth1})\
(!(memberOf=LDAP_RESTRICTED_GROUP)))\
}\
{1}fail}
Doesn't actually look that bad, and it seems to cache and re-use
connections to the LDAP server, so hopefully shouldn't be that
bad! Using ldapauth also checks for blank passwords (which our
server doesn't seem to like, but is better here anyway.)
Sorry for the disturbance...! Of course, I'd still be
interested if there is a better way ;-).
Thanks,
Matthew
--
Matthew Newton <mcn4@???>
Network Support and UNIX Systems Administrator, Network Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
For IT help contact helpdesk extn. 2253, <cchelp@???>
