Authentication

LDAP bind user as the user logging in?

 
Picture of Stephen Reese
LDAP bind user as the user logging in?
 
I have successfully setup Moodle and the LDAP module.

The only issue is the user that is logging in needs to be set as the bind user as our LDAP directory does not allow anonymous browsing nor do we have an account that can view the attributes of others.

Is there a way to tell the LDAP module to bind the user trying to log in / create to also act as the bind account?

Thanks
 
Average of ratings: -
Picture of Stephen Reese
Re: LDAP bind user as the user logging in?
 
Is this something that may be specified in the configuration or would some variables need to be hard coded?

i.e. User logging in = LDAP bind user
 
Average of ratings: -
Picture of Iñaki Arenaza
Re: LDAP bind user as the user logging in?
Core developersDocumentation writersParticularly helpful MoodlersPlugin developers

You'd need to modify the code too, as the way it currently works is that the configured bind user looks for the distinguished name of the user that is trying to log in, and then rebinds with that disntinguished name and the user provided password to validate the user.

Saludos. Iñaki.

 
Average of ratings: -
Head
Re: LDAP bind user as the user logging in?
Particularly helpful MoodlersPlugin developersTesters
The bind user must be a correct username and password pair for Moodle to know if the entered username and password pair exist in the LDAP directory.

Surely all the bind user needs to be able to do is read if another user exists?
 
Average of ratings: -
Picture of Stephen Reese
Re: LDAP bind user as the user logging in?
 
The users are only able to see the data for their username. I know this can be implemented because I'm using it for MediaWiki.


So instead of having a specific bind user the user logging in becomes the bind user.
 
Average of ratings: -
Head
Re: LDAP bind user as the user logging in?
Particularly helpful MoodlersPlugin developersTesters
As Iñaki says, you will need to change the core code of the LDAP auth for this to work; as it breaks the logic of the plugin... Using a specific BIND user enables the auth plugin to be sure that it has a connection to your LDAP and that the user exists before checking the user password pair of the logging in user... I suppose it saves some resources, and enables greater accuracy in reporting the log in error. i.e. can not bind to LDAP, user does not exist or password incorrect... Using the logged on user as the bind user would only allow one level of reporting incorrect logins...
 
Average of ratings: -
Picture of John Atkins
Re: LDAP bind user as the user logging in?
 

hmmm. Would this then allow multiple domain ldap hosts to be searched having the user as the bind user as well. If the user is not a domain member on the first ldap host it would fail to bind and (I think) rollover to the second ldap host where the user is a member and it would succeed. Obviously if it binds to the first ldap host it goes no further and also succeeds.

This would be a painless way to allow mutiple domain (not child domains but separate through trusts) to be authenticated on one moodle site. This 2 (or more) domain setup is used at loads of schools and unis so it would be nice to be able to do this even with the reduced level of error reporting on failed logons and slightly increased processing.

What would need to be coded (and where) to use the logging in user as the bind user in the ldap plugin?

Even just an idea of how to get started....

thanks

 
Average of ratings: -
Picture of John Atkins
Re: LDAP bind user as the user logging in?
 

Apologies for asking the same question again. I had hoped others may have the same issue as myself and Steven who started this thread. I am lookin to edit the auth.php code such that the user logging is also the bind user for LDAP lgogn. I am not sure of Steven's reasons but my school site has 2 domains on the same site (staff on one and students on the other) and despite the staff domain bind account having read AD access on both domains it will only bind with the staff domain. If I change the bind user to a student domain account, students can logon but now staff fail can't so I can't get both domains to use LDAP at the same time.

I figure having the logging on users as the bind users neatly gets around this problem as it will only bind to the LDAP server that actually owns the account and then log them in but my php scritping knowledge is far from great. Does anyone have some idea of how to edit auth.php to get this to occur or a way to allow mutiple bind users, 1 per domain (not in the same forrest). Obviouly anonomous bind ldap access is not an option for AD so leaving the bind user blank doesn't work either.

any help however small would be appreciated as this would resolve this same issue on several school sites for some colleagues as well...

 
Average of ratings: -
Picture of Stephen Reese
Re: LDAP bind user as the user logging in?
 
I would also like to see the LDAP module updated to add this functionality.
 
Average of ratings: -
Picture of Alberto G
Re: LDAP bind user as the user logging in?
 

I´ve uploaded a new patch that adds an option to configure the bind user as the user logging in. It´s a solution to this post.

You can see it here.

I hope it´ll helpfull for you

 
Average of ratings: -