It seems there are two methods to authenticate users using LDAP:
1) by using admin ldap search account. in this case one account will search the LDAP for the logged in user. then run another bind for the user to check. the benefit here, is that we dont need to include the long ldap user static information.
2) second method, is what we used earlier. allowing the logged in user to do the bind and check for his own attributes. but while I'm reading, I found out that some organizations doesn't allow all users to fitch LDAP entries even its own! beide that different users can be in different OUs (eg: employee1 inside OU=Employees but student1 inside OU=Students)
at our origanization, we have few systems that is connected to our Active Directory. and we use method # 1. I guess most open source systems do the same.
the main purpose of using admin account, is to get the user DN (full OU path), then use this DN to check the logged in user.
I have created a script using method # 1 (testing the free LDAP server) .. but I had to define the full admin username, because admin OU is different from users OU.
In our case I was able to use our admin search account and it worked fine with few users.
here is the code from pasteBin https://pastebin.com/8NNFNthK
1) by using admin ldap search account. in this case one account will search the LDAP for the logged in user. then run another bind for the user to check. the benefit here, is that we dont need to include the long ldap user static information.
2) second method, is what we used earlier. allowing the logged in user to do the bind and check for his own attributes. but while I'm reading, I found out that some organizations doesn't allow all users to fitch LDAP entries even its own! beide that different users can be in different OUs (eg: employee1 inside OU=Employees but student1 inside OU=Students)
at our origanization, we have few systems that is connected to our Active Directory. and we use method # 1. I guess most open source systems do the same.
the main purpose of using admin account, is to get the user DN (full OU path), then use this DN to check the logged in user.
I have created a script using method # 1 (testing the free LDAP server) .. but I had to define the full admin username, because admin OU is different from users OU.
In our case I was able to use our admin search account and it worked fine with few users.
here is the code from pasteBin https://pastebin.com/8NNFNthK