Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow LDAP search without anonymous read #86

Open
mdavidsaver opened this issue Aug 14, 2023 · 0 comments
Open

Allow LDAP search without anonymous read #86

mdavidsaver opened this issue Aug 14, 2023 · 0 comments

Comments

@mdavidsaver
Copy link
Contributor

There is currently no way to configure a DN to BIND when the ldap client is not acting on behalf of a particular user. This requires that the ldap server be configured to allow anonymous users to dump at least the group list, including membership.

As far as I can tell, the springboot convention would configure this with ldap.username and ldap.password. I think this would be set with managerDn(). Despite the name, there is not I think this could be any user with read permission for the necessary parts of the ldap database. (so it need not be an admin account) One perhaps relevant example.

fyi. By looking at the openldap server log, I can see that the sequence of operations is:

  • BIND with the user provided through http basic auth
  • UNBIND
  • SEARCH do a groups search

What I would like to see happen if ldap.username is set

  • BIND with a DN derived from the username provided through http basic auth
  • UNBIND
  • BIND with the "manager" DN
  • SEARCH do a groups search
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant