Multiple (different) LDAP servers and authorisation

[Phil Mayers]

On Wed, 2007-08-15 at 15:36 +1000, Stewart James wrote:

> What I have realised is that there are 2 ways that authorisation appear
>  to be called for LDAP. One way is to name the LDAP modules in the
>  authorise section. The other way appears to be through the LDAP-Group
>  in the users file and letting the "files" module then call the LDAP
>  module.

Sort of. If you had:

authorize {
  preprocess
  files
  other
  Autz-Type FOO {
    moduleX
  }
}

authenticate {
  Auth-Type MS-CHAP {
    mschap
  }
  ....etc...
}

...the flow is:

 1. call "preprocess"
 2. call "files"
 3. call "other"
 4. if an only if Autz-Type is set, do a 2nd pass through the matching
Autz-Type stanza
 5. Call one and only one module from the authenticate section to
execute the authentication algorithm

Alan has already hinted at this, but - you will not be able to get the
plaintext password out of AD. Your password checking options against AD
are limited to precisely two:

 1. For PAP, you can authenticate the user by asking the LDAP module to
to an LDAP simple bind with the pap username/password
 2. For MS-CHAP, you install samba, join the domain, and use the
"ntlm_auth" helper binary in the mschap module

Which of the two do you want to do, because that will impact the next
bit.