[tpop3d-discuss] ldap virtual auth plugin : near release

Paul Makepeace Paul.Makepeace at realprogrammers.com
Thu, 21 Feb 2002 05:34:24 -0800


On Mon, Feb 18, 2002 at 05:08:52PM +0100, Prune wrote:
> Chris Lightfoot wrote:
> >On Mon, Feb 18, 2002 at 03:44:11PM +0100, Prune wrote:
> >>What it does :
> >>
> >>-do auth agains an ldap server
> >>-get the location of the mailbox (or maildir) from LDAP
> >>-get the uid/gid of the mailbox from LDAP
> >>
> >
> >OK, this all looks sensible. I take it that the way that
> >authentication is done is defined by LDAP, so that you
> >don't have to retrieve a password from the directory
> >explicitly?
> >
> right. That's why it's a good thing to use TLS, so data from the client 
> to LDAP are encrypted overt the network.
> Ldap has a special way to authenticate users with a methode called 'bind'.
> First you connect to the server.
> Then you 'bind' as manager (privilegied read user).
> you search for the user and his attributes
> once you have all this, you can 'bind' again as the user.

I'm curious why someone would require a privileged user to perform
the mail -> uid/DN search? In other words, what would be the
advantages of putting access controls on a mail attribute? It seems to
me to defeat one of the original purposes of LDAP, e.g. address books.
(Perhaps I'm missing something here).

I would have expected this to be obtainable from an anonymous
bind/search which is quicker than an authenticated bind.

> the bind operation give you success or fail. You never get the

You could do a compare operation from an already anonymously bound
session, which would probably more efficient overall.

It's been a while since I really did anything with LDAP so don't take my
word for it :-) If I would highly recommend posting a summary & request for
comments on the proposed/implemented system to the ldap(at)umich.edu
list http://www.umich.edu/~dirsvcs/ldap/#lists (which is where
openldap-general type questions go these days apparently)

Paul


--
Paul Makepeace ....................................... http://paulm.com/

"If the question defines the domain, then a priest will behave very
 oddly."
   -- http://paulm.com/toys/surrealism/