LDAP Active directory authentication question

Question

I am trying to authenticate users on my site with their LDAP credentials. However the bind to the active directory seems to require my credentials first before I can authenticate any other username/passwords.
I don't want to hardcode my credentials in the application. Any suggestions?

$self->authen->config( 
DRIVER => [ 'Authen::Simple::LDAP',
host   => 'ldapad.company.com',
basedn => 'OU=XXX,OU=AD,DC=YYY,DC=ZZZ', 
binddn => 'CN=myname,OU=Users,OU=company,OU=AD,DC=company,DC=ZZZ',
bindpw => 'secret',
filter => '(cn=%s)',   

],

CREDENTIALS          => [ 'authen_username', 'authen_password' ],
STORE                => 'Session',
LOGOUT_RUNMODE       => 'logout',
LOGIN_RUNMODE        => 'login',
POST_LOGIN_RUNMODE   => 'okay',
RENDER_LOGIN         => \&my_login_form,

);

Answer 1

This is a standard FAQ item for LDAP to A/D.

You must create a special user for the purpose of binding to A/D, and hardcode the credentials in your client. AFAIK there's no way around this requirement, though if there's newer information available (I solved this a few years ago) I'd love to know.

Answer 2

You could store the credentials in a separate file that you read programmatically with strict permissions on it, so at least you don't have to embed the credentials right in the source.

Answer 3

You should create a user in active directory (say 'aduser') which can have a trivial password. You can then simply give that user no rights to do or access anything. AD allows any user (even one with no access rights) to bind to the directory, but they must have an account on the domain.