Differences between version 2 and predecessor to the previous major change of ActiveDirectoryAuthenticationNotes.
Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History
| Newer page: | version 2 | Last edited on Monday, March 17, 2003 6:40:19 pm | by PerryLorier | Revert |
| Older page: | version 1 | Last edited on Saturday, February 22, 2003 1:03:36 am | by PerryLorier | Revert |
@@ -53,4 +53,14 @@
the sAMAccountName is the ldap attribute ActiveDirectory uses for storing the username.
[1]: Domain Component
+----
+!!Round Two!
+
+Going back to this, we found a problem. This appeared in apache's error log:
+ [Mon Mar 17 16:36:07 2003] [error] [client 210.54.31.4] Too many failures connecting to LDAP server
+This is caused by mod_ldap trying to use [LDAP] v2. This appears to cause some (unspecified) problems with Active Directory. So I found a patch by Jeff Costlow (j.costlow at f5.com) (may whatever deity he worships provide him with many years of good health and fortune) which allows you to force [LDAP] version 3.
+
+This prevents the error above from occuring, and now only authorised people can login.
+
+There is a nasty security flaw in mod_ldap that while that error is appearing in your logs you can login as __''any''__ user (even if that user doesn't exist). This is because when that error occurs mod_ldap fails and returns 0. However 0 turns out to be "success" instead of "failure". Ooops!
