00532: Use authenticated bind for ldap authuser
Description: There is an issue related to the use of ldap_bind. In many environments, you cannot get useful results upon an anonymous bind action. You will not receive an error message from ldap_bind itself, rather subsequent ldap_search or ldap_list actions will fail with "operations error". So you need to authenticate before checking the credentials of the user who is ultimately trying to authenticate, which is a bit of a catch-22. Of course, it must also be ensured that passwords are encrypted when transmitted from the web client to the web server. I am not sure whether it is the case in the current default configuration.
Soren Poulsen, CERN,Geneva
I fully agree about the need for authenticated binds; however, in keeping with PmWikiPhilosophy #3 I was choosing to not implement it until needed and more details could be available. Also, the LDAP authentication is still a bit new to PmWiki and I'm eager for reports of people actually using it. :-)
Would it be okay to just have an $LDAPBindDN and $LDAPBindPassword variables to encode the initial bind requirements...?
As for secure transmission of passwords from web client to server, PmWiki relies on the wiki and server administrator(s) involved to set up SSL or other transport layer security. HTML and HTTP simply don't provide sufficient power to encrypt such things without having some level of admin support behind it. --Pm
I definately would like to see this implemented. In my environment, anonymous LDAP binds are disabled. This a common security setting for Windows Active Directory environments. The Apache 2.0 LDAP module is a good reference for LDAP variables.
-- As long as PmWiki's LDAP stuff supports LDAPS, then the security should be fine since most people should be connecting to their LDAP servers through secure LDAP (port 686 in Active Directory).