LISTSERV can be configured to use one or several LDAP servers for authentication (user login). You can choose to allow users without an LDAP account to log in with an internal LISTSERV password, or to restrict access to users with an LDAP account.

LDAP authentication is enabled by defining the following configuration variables:

    • LDAP_PW_SERVERS=nickname1 [nickname2 […]] 


The list of LDAP servers to be queried (in the specified order) for user accounts. Be sure to enter server nicknames, not hostnames.

    • LDAP_PW_ONLY=0 or 1 (default: 0)

If set to 1, only users with an LDAP account are allowed to log in to LISTSERV; other users will only be able to access LISTSERV anonymously. 

Warning: Make sure to test your LDAP settings before enabling this option, or you will not be able to undo it from the web interface! Enabling this option on a server that previously had external users is likely to result in significant confusion for the external users, whose passwords will no longer work.

    • LDAP_PW_REQUIRE_SSL=0 or 1 (default: 1)

Whether or not LISTSERV should accept LDAP passwords transmitted to the web interface in plain text. By default, LISTSERV will only attempt to verify passwords transmitted over SSL. 

Note: This option does not control LISTSERV’s own use of SSL when communicating with the LDAP server. See the LDAP_SERVER_nickname variable.

    • SIGNUP_REQUIRE_SSL=0 or 1 (default: 0)

Similar to the above, but affects all LISTSERV passwords, whether LDAP or internal. Can be used without enabling LDAP authentication.

7.3.1 The LDAP Authentication Process


When LDAP is enabled, LISTSERV goes through the following steps to log in a user:

    1. The servers listed in LDAP_PW_SERVERS are examined in turn, in the order in which they were listed. For each server, LISTSERV executes the search configured with the LDAP_PW_BASE_nickname and LDAP_PW_FILTER_nickname variables. LISTSERV stops at the first successful search, or when there are no more LDAP servers to query.
    2. If none of the searches were successful (no LDAP account exists for this user), LISTSERV:
      1. Rejects the login if LDAP_PW_ONLY=1.
      2. Switches to internal (non-LDAP) login if LDAP_PW_ONLY=0. The login will be validated against the user’s internal LISTSERV password, if any, or the user will be prompted to create a LISTSERV password.
    1. If an LDAP account was found for this user, LISTSERV:
      1. Rejects the login if LDAP_PW_REQUIRE_SSL=1 and the login request did not come over an SSL session. In this case, LISTSERV does not even try to verify the password.
      2. Verifies the password against the LDAP server where the account was found, and accepts or rejects the login as appropriate.

7.3.2 A Note on the “Require SSL” Option


The purpose of the “require SSL” option is to prevent ordinary, non-malicious users from jeopardizing their login credentials for their personal convenience, for instance by typing clear-text passwords in e-mail requests because it is faster than waiting for a confirmation ‘cookie’ at the particular Internet café where they are reading their mail. The “require SSL” option effectively disables these login attempts and forces users to log in using the web interface and SSL.

As LISTSERV does not directly process SSL sessions, it has no first-hand knowledge as to whether SSL was used to encrypt the login session or not. It is the web server that handles the SSL session with the user’s browser, notifies the LISTSERV web interface that SSL was used, and the web interface script in turn notifies LISTSERV that the password was not sent in clear text. LISTSERV has no way to verify this representation or guarantee that SSL was in fact used to transmit the password. This being said, there is no advantage for a malicious user in logging in to LISTSERV with his own credentials over an unencrypted connection. The malicious user’s interest is for other, non-malicious users to expose their passwords by sending them in clear text, so that the malicious user may gather them.

7.3.3 Using the Optional LDAP_PW_Bind Configuration Variable


The optional LDAP_PW_BIND site configuration variable is now available in all modern LISTSERV builds, i.e., post-16.0. This variable contains the string to format and use when logging on a user. The default is "%n", which works "out of the box" with Active Directory and, in most cases, with OpenLDAP. For other LDAP implementations, or if a different bind string is required for your local installation, it can be defined in this setting and may use the %u/%h/%s escapes. 

Examples (for use with the "default" LDAP server):

Unix:

LDAP_PW_BIND="%n" 

export LDAP_PW_BIND 

Windows:

LDAP_PW_BIND=%n

Additionally, this variable, like most of the other LDAP-related variables, can also take an optional server-name attribute, e.g.,

Unix:

LDAP_PW_BIND_MYSERVER="%n" 

export LDAP_PW_BIND_MYSERVER 

Windows:

LDAP_PW_BIND_MYSERVER=%n 

The above example assumes that LDAP_SERVER is set to include MYSERVER.

Important: The default value for LDAP_PW_BIND is "%n".