[racktables-users] Re: httpd authentication

Denis,

You are quite correct. It is a short circuit. However, users are unable
to login with your suggested settings unless both the local database
user and ldap user have matching passwords. This, to me, quite defeats
the purpose of having the user in ldap at all.

-Jason

Denis Ovsienko wrote:
>> That's the thing. The boxes were all blank which left me a little
>> confused (no php warnings either). I changed the code a bit to get it
>> working for what I needed. The resulting change allowed username's which
>>     
>
> The change looks more like a short-circuit, to be honest, and I would
> never run it this way with valuable data.
>
>   
>> authed against ldap to login if they had a corresponding local username
>> in the racktables database (I'm using a blank password for the database
>>     
>
> Having "$require_local_account = FALSE" should do quite the opposite:
> it makes a local record not necessary for successful authentication of
> LDAP one. Let me make it clear, when user's password is verified in
> LDAP, the password from database is never used. So you could set it to,
> say, "123", or any randomly-generated password.
>
>   
>> user because I'm not interested in keeping them synced). I would have
>> thought that have "require_local_account = FALSE;"  would not require
>> the database user to even exist, but it actually had a nice side-effect,
>> unexpected, but nice nonetheless (because it allowed me to re-use a
>> pre-existing Web OU in ldap and still limit particular users from
>> logging in). Below is my non-fancy diff:
>>     
>
> I'd suggest reverting the changes back to "vanilla" code and trying to
> configure/debug it that way.
>
>   

-- 

-Jason

Other related posts: