Re: [tpop3d-discuss] ldap virtual auth plugin : near release

[Ben Schumacher]

On Thu, 21 Feb 2002, Chris Lightfoot wrote:
 [..snip..]
> > >You establish whether the user has credentials on the
> > >mailbox by seeing whether they can bind (roughly
> > >equivalent to `log in', right?) to the LDAP server. Is
> > >this the normal approach? (I had assumed that one would
> > >have an attribute which contains a password hash -- as
> > >auth-mysql does -- and then test that explicitly.)
> > >
> > You can do both. getting the password and testing is the "old way" of
> > doing. At least, I think....
>     [...]
> > You have to understand that a bind is something really common with ldap.
> > it's built in feature. it checks against the "userPassword" attribute.
>
> Fair enough. If this is widespread practice, I don't mind
> limiting the authenticator in this way.

I would almost say that this behavior is ubiquitous. I work for Jabber,
and we offer an LDAP authentication module for our product that offers
this exact behavior -- we have yet to find a customer for which this
doesn't work.

> > If not yet done, try gq (gnome or kde ldap browser, don't remember) or
> > ldapbrowser, a java browser, very usefull.
>
> Ooh. Graphical user interfaces. Cool[1].

There's a reasonably good web-based LDAP administration package that's
written in PHP. Its called something like phpLDAPAdmin, or some such
madness.

bs.