LDAP & Customer Authorization
Hello, viewing customer information from a LDAP database works fine, I can see Userid, Username and Email in OTRS. Now I want my customer to logon using the ldap information provided. Due my LDAP database is an addressbook there is no password attribute available. What can I do, or is there something I missunderstood? Uwe
Hi Uwe, On Mon, Jul 28, 2003 at 10:54:34AM +0200, Ortner, Uwe wrote:
viewing customer information from a LDAP database works fine, I can see Userid, Username and Email in OTRS.
Now I want my customer to logon using the ldap information provided. Due my LDAP database is an addressbook there is no password attribute available. What can I do, or is there something I missunderstood?
If there is no password attribute in your LDAP tree then you can't use the LDAP tree for logon (authentication). -=> I would add the password attribute to the LDAP tree.
Uwe
Martin -- Martin Edenhofer - <martin at edenhofer.de> - http://martin.edenhofer.de/ -- Noch 45 Tage bis zum Gäubodenvolksfest! ;-)
Am Don, 2003-07-31 um 00.02 schrieb Martin Edenhofer:
Hi Uwe,
On Mon, Jul 28, 2003 at 10:54:34AM +0200, Ortner, Uwe wrote:
viewing customer information from a LDAP database works fine, I can see Userid, Username and Email in OTRS.
Now I want my customer to logon using the ldap information provided. Due my LDAP database is an addressbook there is no password attribute available. What can I do, or is there something I missunderstood?
If there is no password attribute in your LDAP tree then you can't use the LDAP tree for logon (authentication).
-=> I would add the password attribute to the LDAP tree.
OK, works fine ... But User cannot change their password from within the customer interface - is this in general not possible? BTW: Authenticated Users do have self write-permission on their password field in LDAP Any ideas? Uwe
Hi Uwe, On Mon, Sep 08, 2003 at 11:22:37AM +0200, Ortner, Uwe wrote:
viewing customer information from a LDAP database works fine, I can see Userid, Username and Email in OTRS.
Now I want my customer to logon using the ldap information provided. Due my LDAP database is an addressbook there is no password attribute available. What can I do, or is there something I missunderstood?
If there is no password attribute in your LDAP tree then you can't use the LDAP tree for logon (authentication).
-=> I would add the password attribute to the LDAP tree.
OK, works fine ...
Fine! ;)
But User cannot change their password from within the customer interface - is this in general not possible?
BTW: Authenticated Users do have self write-permission on their password field in LDAP
It's wanted. Because there should be no way (IMO) for other applications to write into your LDAP. It's critical, beause some time you will get an inconsistent directory if each application is writting into your directory. IMO.
Uwe
Martin -- Martin Edenhofer - <martin at edenhofer.de> - http://martin.edenhofer.de/ -- "The number of Unix installations has grown to 10, with more expected." The Unix Programmer's Manual, 2nd Edition, June 1972
Am Mon, 2003-09-08 um 20.13 schrieb Martin Edenhofer:
BTW: Authenticated Users do have self write-permission on their password field in LDAP
It's wanted. Because there should be no way (IMO) for other applications to write into your LDAP. It's critical, beause some time you will get an inconsistent directory if each application is writting into your directory.
Could you explain that a little bit more? In my eyes LDAP is fully multi-user capable, as it's widely used in Lunixish environments for user authentication. I personally use it for a PAM-based LDAP authentication and addressbook management, as well as for SMTP server configuration. I am completely relying on LDAP. In other words, passwords are stored nowhere else and (nearly) parallel write should be allowed (addressbooks). If I didn't get the OpenLDAP/pam_ldap documentation completely wrong, a solution like this could be capable of serving thousands of users. This wouldn't be possible in a one-user LDAP environment, would it? Btw, why would user X want or be allowed to change the password for another user without the other user knowing this? Regards, Robert Kehl
On Mon, Sep 08, 2003 at 10:29:52PM +0200, Robert Kehl wrote:
Am Mon, 2003-09-08 um 20.13 schrieb Martin Edenhofer:
BTW: Authenticated Users do have self write-permission on their password field in LDAP
It's wanted. Because there should be no way (IMO) for other applications to write into your LDAP. It's critical, beause some time you will get an inconsistent directory if each application is writting into your directory.
Could you explain that a little bit more? In my eyes LDAP is fully multi-user capable, as it's widely used in Lunixish environments for user authentication. I personally use it for a PAM-based LDAP authentication and addressbook management, as well as for SMTP server configuration. I am completely relying on LDAP. In other words, passwords are stored nowhere else and (nearly) parallel write should be allowed (addressbooks).
What I mean is, if you have 10 applications which are writing to your LDAP tree, the you will get an inconsistent LDAP tree (different objects, different attributes, ...). So normally just one or two applications should have write acces to you LDAP tree (IMO).
Robert Kehl
Martin -- Martin Edenhofer - <martin at edenhofer.de> - http://martin.edenhofer.de/ -- Perfection is our goal, excellence will be tolerated. -- J. Yahl
participants (4)
-
Martin Edenhofer -
Ortner, Uwe -
Ortner, Uwe -
Robert Kehl