I'm attempting to move as close to single credential as possible. We have a web application that has a fairly limited set of available authentication mechanisms but will (luckily) allow admins to tell it to trust the REMOTE_USER environmental variable set by httpd.
Is there a way to configure mod_authnz_ldap to authenticate using the requesting user's credentials instead of just choosing between anonymous binds or shared credentials?
This is what I currently have:
<Location />
AuthzLDAPLogLevel debug
AuthType Basic
AuthBasicProvider ldap
AuthName "Active Directory"
AuthzLDAPAuthoritative off
AuthLDAPBindDN CN=jad,DC=xxx,DC=com
AuthLDAPBindPassword xxx
AuthLDAPURL ldap://xxx.xxx.64.71/DC=xxx,DC=com?samaccountname?sub
require valid-user
</Location>
xxx's mark redaction. Basically the above works to authenticate users but it uses my account to bind to AD. If I try to comment out the AuthLDAPBindDN and AuthLDAPBindPassword it seems to attempt to perform an anonymous bind, which the AD administrators have configured to be denied.
My question is whether apache can be configured to use the authenticating user's credentials instead of making me choose between anonymous bind or using a shared account (which isn't possible either, given the policy the AD guys have set). Using a person's account is also obviously not ideal for situations where they're terminated or leave.
Best Answer
Maybe AuthLDAPInitialBindAsUser (Apache 2.3.6) can help:
In combination with AuthLDAPInitialBindPattern, something like this might do the trick (untested):
AuthType Basic AuthBasicProvider ldap AuthName "Active Directory" AuthzLDAPAuthoritative off AuthLDAPInitialBindAsUser on AuthLDAPInitialBindPattern (.+) cn=$1,dc=com AuthLDAPURL ldap://xxx.xxx.64.71/DC=xxx,DC=com?samaccountname?sub require valid-user