Bug Report: LDAP authentication with JDBC User/Group DB--login problems

I am using a slightly unorthodox setup: I have a user/group DB set up in MySQL, but I am using LDAP for authentication (all users are set up in the LDAP database, and the passwords are checked against that, ignoring the user DB passwords.

For the most part, this has been working just fine: presence and groups update just fine, unlike with pure LDAP, and it has the centralized password management we need.

However, I recently ran across a strange problem. Users who are in the LDAP DB can log in with their LDAP password even if they’'re not in the MySQL user DB–even with logins restricted to registered users.

While this is likely a rare situation, it seems to me the server should handle it and disallow logins for users not in the user DB, even if they’'re in the LDAP DB.

Timothy Collett

I have the same setup on my box, excepting I use Postgresql. The server doesn’‘t use your MySQL database for anything more than storing information. It doesn’'t use it for authentication. When you move over to LDAP as authentication, it strictly uses LDAP for that purpose. It will not look at MySQL for anything more than Roster group info. Your LDAP, is it AD, eDirectory, Sitemanager? The way we do it here is to setup a specific attribute in a group on LDAP then run a custom search string against it to authenticate only allowed users to login. Although I know very little about LDAP, I will be happy to share the string from my wildfire.xml I have for you to take a look.

Jeff

Ah, but that’'s if you use LdapAuthProvider, LdapUserProvider, and LdapGroupProvider. I am only using LdapAuthProvider, and letting the DefaultProvider handle the rest.

I don’'t know if this is a recommended configuration, but apart from the glitch I noted above, it seems to be workding just fine.

Timothy Collett