This question about Using an extension: Answered
authenticated LDAP queries
This actually is a combined LdapContrib
and Apache question.
I am running Foswiki as an intranet for several cooperating organizations and personal data for all of these organizations is stored in a central OpenLDAP
directory. Read and write access to the subtrees corresponding to each organization is restricted to the members of each and the Foswiki LDAP bind user does not have sufficient access rights to access personal data for queries.
Authentication is managed via apache and mod_ldap.
I now want to query the directory using LdapNgPlugin
but I don't see a way to make it use the current user rather then the site-wide bind user for binding. However, this is crucial to ensure correct access control to the directory.
Is there any chance of achieving this? Getting the user's dn should not be a problem, but I can't access the password necessary to bind, can I? Any pointers, ideas or suggestions would be highly appreciated.
- 21 Feb 2010
Try using the TemplateLogin scheme. This will rebind the current user with her own account. If that's done on apache level LdapContrib
will only take the remote_user information. Any %LDAP will then still be performed using the default proxy user inside Foswiki.
If that's not feasible - for instance if you have SSO strategy and you rely on authenticating on apache level - then an extra option for LdapContrib
is needed to make it
bind to the ldap directory as well for the reason you outlined.
- 22 Feb 2010
| Subject || Using an extension |
| Extension || LdapNgPlugin |
| Version || Foswiki 1.0.9 |
| Status || Answered |