TTLDAP: "Bind Attribute" not proper LDAP behaviour

Use this forum to discuss desired new features for TimeTrex
Post Reply
korynkai
Posts: 2
Joined: Tue Jul 12, 2016 5:24 pm

TTLDAP: "Bind Attribute" not proper LDAP behaviour

Post by korynkai » Tue Jul 12, 2016 5:53 pm

When using LDAP for logins, TimeTrex requires the "Bind Attribute" parameter to be set (this should ALWAYS be the user's Distinguished Name, or at least Relative Distinguished Name if the "Base DN" parameter is set, rather than any oddball attribute; the user's CN attribute is the standard RDN to bind to in the majority of - but not all - installations) or the passed DN becomes "username,<base dn>" (for instance: "username,ou=people,dc=example,dc=com")

Normal LDAP configuration and behaviour only ever requires a search filter and then binds using the user's LDAP Distinguished Name and then authenticates using the user's DN rather than some configured attribute. Sometimes it is common to use the LDAP DN for login to web applications, but this is by far not how every installation handles things. Often LDAP configurations use a different attribute as the username and stay away from what would be the user's RDN.

Also, the "User Filter" parameter should ALWAYS use proper LDAP filter syntax and variables delimiting which parameter is which, for instance: "(&(objectClass=*)(uid=$1)(is_timetrex_user=1))" where "$1" is automatically translated to the username supplied at the login screen when authenticating.

An example of a properly written LDAP module written in PHP (for Codiad in this case) can be found at https://github.com/QMXTech/Codiad-LDAPE ... r/ldap.php .

I may personally rewrite TTLDAP to use proper LDAP behaviour if nobody gets to it before I do.

korynkai
Posts: 2
Joined: Tue Jul 12, 2016 5:24 pm

Re: TTLDAP: "Bind Attribute" not proper LDAP behaviour

Post by korynkai » Wed Jul 13, 2016 4:33 pm

and then binds using the user's LDAP Distinguished Name and then authenticates using the user's DN
Excuse this silly redundancy, I typed this from my phone... It should say "...and then binds or authenticates using the user's LDAP Distinguished Name (depending on whether the bind DN and password are set in the configuration, of course)"

smyers119
Posts: 4
Joined: Tue Nov 01, 2016 10:57 am

Re: TTLDAP: "Bind Attribute" not proper LDAP behaviour

Post by smyers119 » Fri Nov 04, 2016 6:31 pm

I agree with this poster, You are not using best practice when it comes to this issue. Is there a remedy in the works?

Post Reply