Stanislav Sinyagin
2010-09-14 11:32:46 UTC
hi,
I need to authenticate users against the corporate MS Active Directory, and also
authorize them based on group membership.
A static account for binding and searching is not available, therefore AuthzLDAP
is
difficult to use.
Here's a proposal, please let me know if it fits your philosophy, and then I'll
make
a fork at Github:
1. Allow MS style binding: DN=***@domain.com
This simplifies the thing, as we don't need to know the whole AD hierarchy
structure.
Works with most activedirectory servers.
2. Allow hooks in Action::LDAPLogin.
I want to look up the user's group membership right at the spot when the LDAP
session is created and authenticated.
Based on that lookup, I would update the user's fields, like "is_administrator".
Such things are much site-specific, so it doesn't make much sense to put them
into the
public plugin. Of course, I would give an example in the documentation.
cheers,
stan
I need to authenticate users against the corporate MS Active Directory, and also
authorize them based on group membership.
A static account for binding and searching is not available, therefore AuthzLDAP
is
difficult to use.
Here's a proposal, please let me know if it fits your philosophy, and then I'll
make
a fork at Github:
1. Allow MS style binding: DN=***@domain.com
This simplifies the thing, as we don't need to know the whole AD hierarchy
structure.
Works with most activedirectory servers.
2. Allow hooks in Action::LDAPLogin.
I want to look up the user's group membership right at the spot when the LDAP
session is created and authenticated.
Based on that lookup, I would update the user's fields, like "is_administrator".
Such things are much site-specific, so it doesn't make much sense to put them
into the
public plugin. Of course, I would give an example in the documentation.
cheers,
stan