That is correct. There is a anonymous search performed on the base DN that you define for your users on the attribute you define for the useraccount. Once the DN is located, a test bind on that DN is performed using the user account and password information provided by the end user.
The plugin could be easily modified to be given a super user DN and password to be able to search the directory without anonymous bind. I have felt this is less secure that providing limited attribute read access to perform anonymous searches since a DN and password would need to be stored someone on clear text in order for the plugin to use it.
I have implemented secure solutions in this regard however. If you are interested in having the plugin modified or are interested in my other solutions for avoiding anonymous binds, please contact me directly for assistance.
/Frank
You plugin works! but I can’t allow anonymous search of DN, please help!
Also hos do I use StartTLS?
hey, I’ve installed SSL-cert and tested it with other apps, however I can’t get you plugin to function with SSL port 636, or TLS enabled, this make my SSL useless, can you help?
The plugin could be easily modified to be given a super user DN and password to be able to search the directory without anonymous bind.
We don’t use the superuser’s credentials, we use an account with limited read permission. This is even slightly more secure than anonymous bind because a rogue programme installed on any of our internal computers wouldn’t be able to access the directory without knowing at least the limited read account’s name and password.
I have felt this is less secure that providing limited attribute read access to perform anonymous searches since a DN and password would need to be stored someone on clear text in order for the plugin to use it.
Yet, at the same time, many places that cover administration of Active Directory, and even common sense, say that allowing any sort of anonymous bind is incredibly insecure.
I’m aware that giving every app root access to the directory is somewhat commonplace in the Unix world (that’s why things like RBAC on Solaris exist), but can’t you just throw a large “WARNING: YOU CAN GET OWNED IF YOU PUT ADMIN CREDENTIALS HERE” alert at the top of a config page and add the ability to bind using credentials? Some people may not be good enough at PHP or LDAP library code to know how to add this themselves, and you’re also making installing updates harder.
