authenticated LDAP queries

This actually is a combined LdapContrib, LdapNgPlugin and Apache question.

I am running Foswiki as an intranet for several cooperating organizations and personal data for all of these organizations is stored in a central OpenLDAP directory. Read and write access to the subtrees corresponding to each organization is restricted to the members of each and the Foswiki LDAP bind user does not have sufficient access rights to access personal data for queries.

Authentication is managed via apache and mod_ldap.

I now want to query the directory using LdapNgPlugin but I don't see a way to make it use the current user rather then the site-wide bind user for binding. However, this is crucial to ensure correct access control to the directory.

Is there any chance of achieving this? Getting the user's dn should not be a problem, but I can't access the password necessary to bind, can I? Any pointers, ideas or suggestions would be highly appreciated.

-- FrankEckert - 21 Feb 2010

Try using the TemplateLogin scheme. This will rebind the current user with her own account. If that's done on apache level LdapContrib will only take the remote_user information. Any %LDAP will then still be performed using the default proxy user inside Foswiki.

If that's not feasible - for instance if you have SSO strategy and you rely on authenticating on apache level - then an extra option for LdapContrib is needed to make it bind to the ldap directory as well for the reason you outlined.

-- MichaelDaum - 22 Feb 2010