On Wednesday 24 June 2009 19:59:07 Zdenek Styblik wrote:
Hi,
I'd like to ask why is auth from external applications like eg. ftp server done via proxy user, and not straight with user provided credentials.
I am assuming you are asking why a proxy user is required. Typically, the proxy user is *not* used to "authenticate" the user, but to identify the DN to bind as. Once the DN has been identified, the password supplied is used to bind as the DN that the application determined is correct for the username that was supplied.
Of course, this is in the case of a simple bind.
The other alternatives are: -Use a SASL mechanism, and ensure that the LDAP server maps a SASL username to the correct DN -Do DN construction (which has significant disadvantages)
Could somebody, please, clarify this for me? I'm sure there are really good reasons no to so (straight auth), still I've "found" pros in not having additional user which is capable to read others (even hashed) passwords, and probably no need to be password hash dependent as whole auth would be LDAPs domain.
This sounds like your application is broken, and is comparing passwords on the client side. Most applications like this can be configured to do a BIND to validate the password instead, and this gives you a lot more flexibility (e.g., use new password hashes supported by the LDAP server, but not necessarily by all applications).
In a decent setup, no DN should need to read passwords to do authentication.
Maybe you need to provide details of your application and it's configuration.
Regards, Buchan