Details
-
Suggestion
-
Resolution: Won't Fix
-
None
-
None
-
3
-
Description
Crowd binds to for instance OpenLDAP with a preconfigured username and password, which implies that all use of the same directory configuration has the same rights in the LDAP directory. (This could be worked around by configuring multiple connectors to the same backend with different users, but this would soon be a messy configuration.)
It would be really useful to enable Crowd to use anonymous bind to the LDAP directory with the end users own credentials, thus performing operations that the user has right to do.
For instance: If we only want a few users to be able to add new users to the directory, this can be set in OpenLDAP with ACLs. When I log into Crowd it should be, in my opinion, the LDAP directory that authorizes me to perform write operations.
Storing a root/manager-password for the directory in Crowd is the only way for some directories/backends, but for more flexible backends like OpenLDAP it should not be necessary to do this. One can argue that it increases security if no username/passwords are stored in Crowd at all, and since Crowd is an important component in a security framework this should be supported.
Attachments
Issue Links
- is related to
-
- Closed
