Buchan Milne wrote:
On Thursday 25 June 2009 20:47:46 Zdenek Styblik wrote:
After reading the README.LDAP, I didn't see any description of how authentication is done, so I looked, and in src/log_ldap.c, we have this:
Neither did I, but I just assumed/guessed. I didn't have time to look at the source (yet).
void pw_ldap_check(AuthResult * const result,...
IOW, pure-ftpd is retrieving the password hash from LDAP, hashing the password from the user with the same hash (we hope), and comparing the resulting character arrays.
That's what I've expected.
It would have been much easier to bind as the user's DN, and look at the result code ...
Agreed. And I'm very glad to hear that. Thanks for confirmation. I almost know I'm going to be too lazy to implement, but- the proper way is to implement search for dn, right? User with almost no rights, just to search for dn by some parameter (cn/uid/whatever), fetch dn, try to authenticate against fetched dn by user provided password, check error code -> revoke/auth.
This user has access to 'userPassword'. Documentation says: "- LDAPBindDN is the DN we should bind the server for simple authentication. If you don't need authentication (ie. anonymous users can browse that part of the LDAP directory), just remove that line."
But we need to bind to the LDAP, or we won't be allowed to read anything at all.
Anyway. I've tried to delete 'LDAPBindDN' and here goes result: slapd[14940]: conn=1490 op=1 BIND dn="" method=128 .... slapd[14940]: conn=1513 op=2 SEARCH RESULT tag=101 err=50 nentries=0 text=
...and it doesn't work. err=50 is insufficient access, but - isn't an empty dn equivalent for anonymous?
I would: 1)File a bug on pure-ftpd, that it should offer an option (my preference would be that this should be the default) to bind as the user to validate the password.
That might be just matter of opinions (security [flame], here we go). But I do agree with you.
2)Switch to a different FTP server (e.g. proftpd) until this is fixed in pure- ftpd.
I see what can be done. Pure-ftpd is somewhat missing groups support and we need this feature at our site. There is some patch for it, but I'd like to have internal support for this, rather than some external script/mechanism. But that's a different story. Thank you for suggestion - point taken.
Regards, Buchan
Thanks for clarification and confirmation on this topic.
Have a nice day, Zdenek