LDAP "Just For Auth"

Hi Folk! I was wondering if there would be an easy way to implement NOT having to enter a password for creating a new user when LDAP auth is used? Obviously the password isn’‘t going to be used (or is it???), so I’'m basically having to type it in for nothing. =) Just a minor thing obviously.

Is this an existing user in an existing LDAP db?

Yes, it is.

And note that I do not want to use the “simply query LDAP for list of users” functionality or else I’'m left with far more people on the server than I want, or having to reinvent aspects of our LDAP service.

Interesting… apparantly if you have LDAP auth enabled, both the person’'s LDAP password, and their ‘‘local password’’ work. =( Definitely not what I was after either. Am I missing a config option?

Really? That’'s not what I see…

I’'ve got my wildfire.xml set up with LdapAuthProvider, but everything else coming through a DefaultProvider, and when I (just now) tested using the local password, it told me it was invalid. Everyone logs in just fine using their LDAP passwords.

Timothy Collett

Just to clarify, when I say local password, I mean:

Before setting up LDAP, I had created some accounts, lets say account “daniel”… after stopping the server and configuring it for LDAP, and starting back up, I was able to log in using both my LDAP and the password I had set manually before.

So basically =D Are we talking about the same local password?

Yep. My “local password” is the password set through the Wildfire admin console.

I set the local password for one of my users to “testing”, tried to log in with that password, and it told me I had an invalid username or password. Then I logged right back in with the LDAP password.

Timothy Collett

Hrm, well that’'s very bizarre. =( I wonder why it “likes” me?

Any word on this?

my guess would be that you have 2 different users with the same login… have you tried to modify the profile (say add a user from gmail) log out, and login with the other password to see if the user is there ?

Message was edited by: alvarow - fixed a typo

Well for all practical purposes I do, but what I was saying is that’'s part of the issue.

Here’'s the situation. Lets say I want to use LDAP for authentication only, but want to manually populate my list of users.

First off, I have to enter a password for each and every user. Ideally that wouldn’'t be required. But none-the-less, lets say I enter some silly default like “nopassword” for all of the users. Now, since I have it set up for LDAP auth against my LDAP service, all of the users can log in with their LDAP passwords. HOWEVER, they can also log in with their local “nopassword” password. The main issues I was having was:

  • If using LDAP auth, shouldn’'t allow local auth as an option.

  • Ideally, if using LDAP auth, shouldn’'t even have to enter a password. Could say Password: (disabled because LDAP used for authentication)

I got around the issue via other means, but I think the issue still exists. Haven’'t tested it recently. =)