This question about Using an extension: Answered

authenticated LDAP queries

This actually is a combined LdapContrib, LdapNgPlugin and Apache question.

I am running Foswiki as an intranet for several cooperating organizations and personal data for all of these organizations is stored in a central OpenLDAP directory. Read and write access to the subtrees corresponding to each organization is restricted to the members of each and the Foswiki LDAP bind user does not have sufficient access rights to access personal data for queries.

Authentication is managed via apache and mod_ldap.

I now want to query the directory using LdapNgPlugin but I don't see a way to make it use the current user rather then the site-wide bind user for binding. However, this is crucial to ensure correct access control to the directory.

Is there any chance of achieving this? Getting the user's dn should not be a problem, but I can't access the password necessary to bind, can I? Any pointers, ideas or suggestions would be highly appreciated.

-- FrankEckert - 21 Feb 2010

Try using the TemplateLogin scheme. This will rebind the current user with her own account. If that's done on apache level LdapContrib will only take the remote_user information. Any %LDAP will then still be performed using the default proxy user inside Foswiki.

If that's not feasible - for instance if you have SSO strategy and you rely on authenticating on apache level - then an extra option for LdapContrib is needed to make it bind to the ldap directory as well for the reason you outlined.

-- MichaelDaum - 22 Feb 2010

QuestionForm edit

Subject Using an extension
Extension LdapNgPlugin
Version Foswiki 1.0.9
Status Answered
Topic revision: r2 - 22 Feb 2010, MichaelDaum - This page was cached on 03 Jun 2020 - 22:41.

The copyright of the content on this website is held by the contributing authors, except where stated elsewhere. See Copyright Statement. Creative Commons License    Legal Imprint    Privacy Policy