Thread: [MRBS-general] ldap credentials to access ldap server
Brought to you by:
jberanek
From: Rose T. <ros...@al...> - 2007-08-16 18:19:03
|
Hi: =20 What is the syntax to include ldap credentials to access the ldap server? =20 Rose Taylor, BSc. Senior Information Technology Specialist Information Technology Services Algoma University College 1520 Queen Street East Sault Ste. Marie ON P6A 2G4 Phone: 705-949-2301 x4412 Email: ros...@al... <mailto:ros...@al...>=20 website: www.algomau.ca |
From: John B. <jo...@re...> - 2007-08-16 20:50:40
|
Rose Taylor wrote: > Hi: > > > > What is the syntax to include ldap credentials to access the ldap server? I'd read the documentation that comes with MRBS, especially AUTHENTICATION. What the documentation won't tell you is your LDAP schema, which only you can know. John. -- John Beranek To generalise is to be an idiot. http://redux.org.uk/ -- William Blake |
From: Rose T. <ros...@al...> - 2007-08-20 12:42:23
|
I know the schema but what is the syntax for including a login and password for the ldap server? Rose Taylor, BSc. Senior Information Technology Specialist Information Technology Services Algoma University College 1520 Queen Street East Sault Ste. Marie ON P6A 2G4 Phone: 705-949-2301 x4412 Email: ros...@al... website: www.algomau.ca -----Original Message----- From: mrb...@li... [mailto:mrb...@li...] On Behalf Of John Beranek Sent: Thursday, August 16, 2007 4:50 PM To: General purpose list (support/developers/users) Subject: Re: [MRBS-general] ldap credentials to access ldap server Rose Taylor wrote: > Hi: >=20 > =20 >=20 > What is the syntax to include ldap credentials to access the ldap server? I'd read the documentation that comes with MRBS, especially AUTHENTICATION. What the documentation won't tell you is your LDAP schema, which only you can know. John. --=20 John Beranek To generalise is to be an idiot. http://redux.org.uk/ -- William Blake ------------------------------------------------------------------------ - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ mrbs-general mailing list mrb...@li... https://lists.sourceforge.net/lists/listinfo/mrbs-general |
From: John B. <jo...@re...> - 2007-08-20 13:33:07
|
Rose Taylor wrote: > I know the schema but what is the syntax for including a login and > password for the ldap server? The LDAP authentication method in MRBS will only authenticate with the LDAP server using the username and password that the user supplies. So there is no global login and password for the LDAP server. How do you expect the LDAP authentication to work? John. -- John Beranek To generalise is to be an idiot. http://redux.org.uk/ -- William Blake |
From: Peter K. <p....@au...> - 2007-08-20 20:53:17
|
Quoting John Beranek <jo...@re...>: > Rose Taylor wrote: >> I know the schema but what is the syntax for including a login and >> password for the ldap server? > > The LDAP authentication method in MRBS will only authenticate with the > LDAP server using the username and password that the user supplies. So > there is no global login and password for the LDAP server. > > How do you expect the LDAP authentication to work? > > John. We have a system where any "other" server (mrbs, AppleFileShare, etc) which is not running MSWindows Server and automatically bound to the domain structure, must use a secret generic username+password to bind to the upstream LDAP. Without this ordinary users cannot authenticate with LDAP. This is even for MacOS-X servers running Open Directory... You will need to consult with your LDAP administrator to see if this applies to you. Peter Kerr University of Auckland ----------------------------------------------------------------------- This mail sent through University of Auckland http://www.auckland.ac.nz |
From: Rose T. <ros...@al...> - 2007-08-21 12:42:05
|
Yes this does apply to our setup and that's why I am wondering what line of code I need in the config file to add this. I have setup ldap to run on another system and I had to supply a login account for ldap authentication. Rose Taylor, BSc. Senior Information Technology Specialist Information Technology Services Algoma University College 1520 Queen Street East Sault Ste. Marie ON P6A 2G4 Phone: 705-949-2301 x4412 Email: ros...@al... website: www.algomau.ca -----Original Message----- From: mrb...@li... [mailto:mrb...@li...] On Behalf Of Peter Kerr Sent: Monday, August 20, 2007 4:53 PM To: mrb...@li... Subject: Re: [MRBS-general] ldap credentials to access ldap server Quoting John Beranek <jo...@re...>: > Rose Taylor wrote: >> I know the schema but what is the syntax for including a login and >> password for the ldap server? > > The LDAP authentication method in MRBS will only authenticate with the > LDAP server using the username and password that the user supplies. So > there is no global login and password for the LDAP server. > > How do you expect the LDAP authentication to work? > > John. We have a system where any "other" server (mrbs, AppleFileShare, etc) which is not running MSWindows Server and automatically bound to the domain structure, must use a secret generic username+password to bind to the upstream LDAP. Without this ordinary users cannot authenticate with LDAP. This is even for MacOS-X servers running Open Directory... You will need to consult with your LDAP administrator to see if this applies to you. Peter Kerr University of Auckland ----------------------------------------------------------------------- This mail sent through University of Auckland http://www.auckland.ac.nz ------------------------------------------------------------------------ - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ mrbs-general mailing list mrb...@li... https://lists.sourceforge.net/lists/listinfo/mrbs-general |
From: John B. <jo...@re...> - 2007-08-22 15:34:50
|
Peter Kerr wrote: > Quoting John Beranek <jo...@re...>: > >> Rose Taylor wrote: >>> I know the schema but what is the syntax for including a login and >>> password for the ldap server? >> The LDAP authentication method in MRBS will only authenticate with the >> LDAP server using the username and password that the user supplies. So >> there is no global login and password for the LDAP server. >> >> How do you expect the LDAP authentication to work? >> >> John. > > We have a system where any "other" server (mrbs, AppleFileShare, etc) > which is not running MSWindows Server and automatically bound to the > domain structure, must use a secret generic username+password to bind > to the upstream LDAP. Without this ordinary users cannot authenticate > with LDAP. This is even for MacOS-X servers running Open Directory... I don't understand, you have to bind twice in the same LDAP connection? MRBS certainly doesn't support that currently. John. -- John Beranek To generalise is to be an idiot. http://redux.org.uk/ -- William Blake |
From: Peter M. <Pet...@it...> - 2007-08-22 22:37:20
|
There are two variations of LDAP login commonly used. Binding twice might = be a third. =20 The first way to find out if M. Mandela can use the system, connect to = LDAP with M. Mandela's user name and password. Quick and easy. =20 The second way is to connect to LDAP using an administrative id & password = then search for M. Mandela's user name & password in LDAP. This way is = slower but it lets you validate people who are in LDAP and do not have = bind access to LDAP. =20 If you use the second method then relay the LDAP through a remote LDAP, I = do not think you would need two binds. Your bind to the relaying LDAP = should give you read access to the primary LDAP. What you might need is a = longer search string. If the primary has selection string dc=3Dc,dc=3Db,dc= =3Da and that is relayed under dc=3Dy,dc=3Dx, you might have to search = dc=3Dc,dc=3Db,dc=3Da,dc=3Dy,dc=3Dx. MRBS should be able to handle this. =20 Peter >>> John Beranek <jo...@re...> 8/23/2007 1:34 AM >>> Peter Kerr wrote: > Quoting John Beranek <jo...@re...>: >=20 >> Rose Taylor wrote: >>> I know the schema but what is the syntax for including a login and >>> password for the ldap server? >> The LDAP authentication method in MRBS will only authenticate with the >> LDAP server using the username and password that the user supplies. So >> there is no global login and password for the LDAP server. >> >> How do you expect the LDAP authentication to work? >> >> John. >=20 > We have a system where any "other" server (mrbs, AppleFileShare, etc) > which is not running MSWindows Server and automatically bound to the > domain structure, must use a secret generic username+password to bind > to the upstream LDAP. Without this ordinary users cannot authenticate > with LDAP. This is even for MacOS-X servers running Open Directory... I don't understand, you have to bind twice in the same LDAP connection? MRBS certainly doesn't support that currently. John. --=20 John Beranek To generalise is to be an idiot. http://redux.org.uk/ -- William Blake ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/=20 _______________________________________________ mrbs-general mailing list mrb...@li...=20 https://lists.sourceforge.net/lists/listinfo/mrbs-general |
From: John B. <jo...@re...> - 2007-08-23 08:54:11
|
Peter Moulding wrote: > There are two variations of LDAP login commonly used. Binding twice > might be a third. > > The first way to find out if M. Mandela can use the system, connect to > LDAP with M. Mandela's user name and password. Quick and easy. > > The second way is to connect to LDAP using an administrative id & > password then search for M. Mandela's user name & password in LDAP. This > way is slower but it lets you validate people who are in LDAP and do not > have bind access to LDAP. Surely in this method the user doesn't have any password check performed, and therefore someone can fake being any valid user on the system... John. -- John Beranek To generalise is to be an idiot. http://redux.org.uk/ -- William Blake |
From: Peter K. <p....@au...> - 2007-08-22 21:29:52
|
Quoting John Beranek <jo...@re...>: > > I don't understand, you have to bind twice in the same LDAP connection? > > MRBS certainly doesn't support that currently. > I confess I don't understand all the innerworkings, but we are using a MacOS-X Server for filesharing, Quicktime Streaming and a few other things. We have some services where users must authenticate, MacOS-X uses Open Directory and connects to an upstream ActiveDirectory service. Under our Domain structure there is a utility account which is required for this binding, then the LDAP directory is reflected on the MacOS machine in such a way that requests are still passed upstream to the main database for authentication. I assume that mrbs could work in these conditions, but Confession nr2: I chickened out because of the number of other web services on this box. I set up mrbs separately, no, couldn't afford another server licence, so I'm using http directives and IP nr restrictions as to who can read mrbs, and booking authors are authenticated simply by config.inc.php which is locked down, readonly to user www. I can get away with this because our booking authors change very rarely... Peter Kerr ----------------------------------------------------------------------- This mail sent through University of Auckland http://www.auckland.ac.nz |
From: David P. C. <dav...@br...> - 2007-08-23 08:24:18
|
Peter, Just a note to say, if you use the active directory plugin in directory access within os x server, then mrbs users can authenticate directly to AD, without going through OD, which in fact _cannot_, in my experience, replicate the LDAP part of AD. This is the only way I have been able to get mrbs to work through an xserve to AD, but it does work and would give you access control without all the IP filtering, IMO. DAvid On 22 Aug 2007, at 22:29, Peter Kerr wrote: > Quoting John Beranek <jo...@re...>: >> >> I don't understand, you have to bind twice in the same LDAP >> connection? >> >> MRBS certainly doesn't support that currently. >> > > I confess I don't understand all the innerworkings, but we are using a > MacOS-X Server for filesharing, Quicktime Streaming and a few other > things. We have some services where users must authenticate, MacOS-X > uses Open Directory and connects to an upstream ActiveDirectory > service. Under our Domain structure there is a utility account > which is > required for this binding, then the LDAP directory is reflected on the > MacOS machine in such a way that requests are still passed upstream to > the main database for authentication. > > I assume that mrbs could work in these conditions, but Confession nr2: > I chickened out because of the number of other web services on this > box. I set up mrbs separately, no, couldn't afford another server > licence, so I'm using http directives and IP nr restrictions as to who > can read mrbs, and booking authors are authenticated simply by > config.inc.php which is locked down, readonly to user www. > > I can get away with this because our booking authors change very > rarely... > > Peter Kerr > > ---------------------------------------------------------------------- > - > This mail sent through University of Auckland http:// > www.auckland.ac.nz > > > ---------------------------------------------------------------------- > --- > This SF.net email is sponsored by: Splunk Inc. > Still grepping through log files to find problems? Stop. > Now Search log events and configuration files using AJAX and a > browser. > Download your FREE copy of Splunk now >> http://get.splunk.com/ > _______________________________________________ > mrbs-general mailing list > mrb...@li... > https://lists.sourceforge.net/lists/listinfo/mrbs-general -- David Plans Casal Digital Technologist School of Arts Brunel University e : david dot plans at brunel.ac.uk t : +44 1895 266 475 m : +44 7803 173 959 |