Subject: Developers of Sympa
List archive
- From: Olivier Salaün <address@concealed>
- To: address@concealed
- Cc: address@concealed
- Subject: [sympa-dev] Re: Re: RE: Re: LDAP Authentication
- Date: Mon, 28 May 2007 18:11:39 +0200
You're right, here is a description of Sympa behavior while performing LDAP authentication :
1. sympa retrieves the user's DN, given his email address. This is
performes using the bind_dn if provided (otherwise anonymously)
2. sympa validates the user's provided password by trying a bind with
the user DN and provided password
3. while performing (2) we retrieve the user alternate email
addresses, if any
The algorithm could be optimized as follows :
* Step (3) could be performes, only if an
alternative_email_attribute has been configured
* Step (3) could be performed during (1) ; more adapted to
situations where users can't access their LDAP entries
We've got to add feature requests in our tracking system to keep track of these ideas. You're welcome to create the entry if you wish...
address@concealed wrote:
Chris, I think you are right on the money, yesterday i thought only bind_dn &
password need mail attribute access. But as you said the sympa users need to access the mail attribute. Close look at the ldap log reveals, First sympa
does a bind using bind_dn and password and then its binds using users uid and
password and try to retrive the mail attribute ..I think in my case it failed.
We have strict control over the directory individual users don't have ability
to access the attributes. So it result in failed authentication. I am in the
process of adding some access control in the directory so users can access
attribute.
Again Thanks Chris & Thomas for you quick response.
-
[sympa-dev] Re: RE: Re: LDAP Authentication,
kpaxian25, 05/15/2007
- [sympa-dev] Re: Re: RE: Re: LDAP Authentication, Olivier Salaün, 05/29/2007
Archive powered by MHonArc 2.6.19+.