[GH-ISSUE #196] Alternatives to using Admin for LDAP Check #75

New issue

Closed

opened 2026-02-27 08:15:06 +03:00 by kerem · 3 comments

kerem commented

2026-02-27 08:15:06 +03:00

Owner

Originally created by @clbx on GitHub (Jun 23, 2022).
Original GitHub issue: https://github.com/lldap/lldap/issues/196

In all of the examples, and as far as I can tell, the Bind User always had to be admin. This is inherently insecure since the only user that applications can use has full access to the server. Adding a read_only group and/or adding the option for anonymous reads, would solve this issue.

Originally created by @clbx on GitHub (Jun 23, 2022). Original GitHub issue: https://github.com/lldap/lldap/issues/196 In all of the examples, and as far as I can tell, the Bind User always had to be admin. This is inherently insecure since the only user that applications can use has full access to the server. Adding a read_only group and/or adding the option for anonymous reads, would solve this issue.

kerem closed this issue

2026-02-27 08:15:06 +03:00

kerem commented

2026-02-27 08:15:06 +03:00

Author

Owner

@martadinata666 commented on GitHub (Jun 23, 2022):

Technically, afaik by default we already had lldap_readonly group, we only need to create a user and add it to readonly group, or maybe another suggestion lldap can create one readonly user by default.

And about the example, is about some familiarity and use lldap as easy as possible. Maybe we should create a doc about this security concerns like yes you can use admin, but use readonly user with some tutorial create user with lldap_readonly

@martadinata666 commented on GitHub (Jun 23, 2022): Technically, afaik by default we already had `lldap_readonly` group, we only need to create a user and add it to readonly group, or maybe another suggestion lldap can create one readonly user by default. And about the example, is about some familiarity and use lldap as easy as possible. Maybe we should create a doc about this security concerns like `yes you can use admin, but use readonly user with some tutorial create user with lldap_readonly`

kerem commented

2026-02-27 08:15:06 +03:00

Author

Owner

@nitnelave commented on GitHub (Jun 23, 2022):

Indeed this can be achieved by creating a user, member of the lldap_readonly group. It hasn't been properly documented though, so if anyone of you wants to add something to the docs and link it from the readme, that would be welcome!

@nitnelave commented on GitHub (Jun 23, 2022): Indeed this can be achieved by creating a user, member of the lldap_readonly group. It hasn't been properly documented though, so if anyone of you wants to add something to the docs and link it from the readme, that would be welcome!

kerem commented

2026-02-27 08:15:06 +03:00

Author

Owner

@clbx commented on GitHub (Jun 23, 2022):

lldap_readonly solves my issue, but an anonymous read option would also be super convenient.

@clbx commented on GitHub (Jun 23, 2022): lldap_readonly solves my issue, but an anonymous read option would also be super convenient.

kerem referenced this issue

2026-02-27 08:17:52 +03:00

[PR #75] [MERGED] Implement a CommonComponent to refactor common functionality in app components #528