Still a good question!
The main reason (although it is not obvious from the code) is that
there are many OUs beneath the userbase DN, for reasons too lengthy to explain here.
Hence I cannot explicitly bind the given user as
$ldap->bind( "cn=$user,".$self->{ldap}{userbase} ,
password=>$password )
Since that user may be in any of a number of sub OUs to the userbase. I admit that there
was much "umm" and "err" about using an anonymous bind to find the
user entry, then rebind with that DN and the supplied password. The directory in
question is accessible only from 127.0.0.1 , and it is not involved in any way in
storing system accounts. My concerns about userPassword hashes being stolen are largely moot, if
they can only be accessed locally, if a malicious user is already local - I have more problems
than them having anon read access to LDAP!.
Please post some code if you can, or in the least read/comment my meditation that
more fully explains what I am stabbing in the dark at.
I can't believe it's not psellchecked |