On Thu, Feb 21, 2002 at 02:46:37PM +0100, Prune wrote:
[...]
I subscribe this list 2 years ago. I'm not an ldap expert, I learn with
what I see and hear. Most of ldap implemented tools act as this :
-> bind as a privileged user
or
-> bind anonymously
-> search for attribute
-> get result attributes
-> re-bind as user
or
-> compare userPassword with the one supplied by the user
Some tools offer both, some do not...
I don't think there are a better way than another...
FWIW, the Apache auth_ldap appears to use the search/bind
model. It seems like a reasonable idea to me (as a total
LDAP neophyte), I suppose. It would be nice to implement
both, I guess. I may look at doing that.
Presumably you can set ACLs so that (say) the email
address and name of a user are publically available, but
another attribute -- a password hash, say -- is available
only to the administrator and the user as whom the POP
server binds to the server?
the fact is that I prefer not to allow anything to users account.