Menu
▾
▴
Re: [Unity-idm-discuss] LDAP authentication with empty system DN/password
|
From: Krzysztof B. <kb...@un...> - 2021-03-03 08:45:02
|
Dear David,
W dniu 02.03.2021 o 14:31, David Pape pisze:
> P.S.:
>
> I tried using template based resolving like this:
>
> uid={USERNAME},ou=users,ou=db,ou=it,o=fsr,dc=de
>
> where Unity does in fact not ask for a system password. But since in this case
> the test fails with "invalid credentials", it seems like normal users are not
> allowed to access the system.
Ah, ok - so yes - there are two places where unity credential can be
set. If you use 'bindAs=system' then system credential is used for every
query except of password verification (done with bind). So this needs to
be a credential of highly privileged user.
If you use bindAs=user then this is in general not needed as the user's
credential is used to query LDAP. But this means we need to have a
template to build user's DN out of username - only then we can start
using this DN as part of the authN. Otherwise another 'mini-system'
credential needs to be provided to just find the user's DN. This, in
contrast to the previous one, needs not to have wide permissions.
> Using the ldapsearch command with the options -D "" -b
> "ou=users,ou=db,ou=it,o=fsr,dc=de", does work.
If I read the above correctly your LDAP is configured so that you can
run queries without authentication whatsoever? If so then I'd suggest
adding a user to you test ldap instance with some credentials and use
this as a 'system' user in unity.
Best,
Krzysztof
|
