To use this module you must define a tag as shown below:
<ldapoper baserdn="ou=People,dc=brainbox,dc=cc"
server="ldap://brainwave.brainbox.cc"
searchscope="subtree"
binddn="cn=Manager,dc=brainbox,dc=cc"
bindauth="mysecretpass">
The variables in the tag have the following meanings:
- baserdn indicates the base Distinguished Name to search in for users.
- server indicates the LDAP server to connect to. The ldap:// style scheme before the hostname proper is MANDITORY.
- searchscope indicates the depth of search to perform. The default is 'subtree', supported types are 'subtree', 'base' and 'onelevel'.
- binddn and bindauth indicate the Distinguished Name to bind to for searching, and the password for the distinguished name. Some LDAP servers will allow anonymous searching in which case these two values do not need defining, otherwise they should be set similar to the examples above.
To define an oper who authenticates against LDAP, his/her oper block must be defined as in the example shown below:
<oper name="someoper" password="uid=opers_ldap_uid" host="*@*" type="NetAdmin" hash="ldap">
The ldap value in the hash field indicates that this oper uses LDAP for username lookups. The actual password is of course not stored in the oper block, instead, the password field contains a query string which is used to match this oper against the entries in the LDAP server. In this example, we are using a query that matches the 'uid' field against the literal string 'opers_ldap_uid'. If the query given returns true, the distinguished name that is returned is bound against, using the /OPER password provided by the potential oper. Upon success, the oper privileges are granted. The usage of the password field for storing an LDAP query means that you can give your oper a different oper username to the username in the LDAP server, increasing the security of your system a little by not revealing posix usernames to potential attackers.
|
