[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication using DN or uid?

To: Kristin Engstrom <Kristin.Engstrom@netiq.com>
Subject: Re: Authentication using DN or uid?
From: Matthew J Backes <lucca@CSUN.EDU>
Date: Fri, 20 Sep 2002 17:20:06 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <68A8FAD6CF302344842A0680F5F8A4C203991D03@pdxexch02.netiq.local>
Organization: California State University Northridge
References: <68A8FAD6CF302344842A0680F5F8A4C203991D03@pdxexch02.netiq.local>

On Fri, 20 Sep 2002 15:18:07 -0700
Kristin Engstrom <Kristin.Engstrom@netiq.com> wrote:

> Perhaps I'm misunderstanding the whole LDAP authentication model.  Has
> anyone figured out how to use user-friendly usernames and still have their
> front-end talk to a wide variety of directories (on different platforms)?

It is unreasonable to assume an enduser knows their DN.  It is also
unreasonable to assume that you may construct a DN by knowing the
value of an attribute.  Many programs get that wrong and it makes life
very difficult for people with complex DIT's.

The Ideal situation is to have your software configurable; the user
will enter some value referring to their identity and some value that
authenticates their identity.  Make the attribute of the first value
configurable.

This assumes that you will be doing a search for their object.  Often
this can be done anonymously, (and you should have an option for
anonymous proxy binds) but frequently sites restrict things so that a
"proxy user" will need to do the initial search.

So.  You will want configuration details such as:

    LDAP URL e.g. ldap://ldap.some.domain:389/ou=foo,o=mybase?sub?(uid=$UID)
    Proxy User bind DN
    Proxy User credentials

So a typical session for a unix-like username/password login might
look like:

    Ask user for their username/password
    Connect and BIND anonymously to the server in the URL
    SEARCH on (uid=$UID), (where $UID would be what you are seeking)
    if you get exactly ONE result back,
    re-BIND to that dn with the supplied credentials.

This way an administrator could reconfigure your client to bind
non-anonymously for it's searches, search only part of the tree,
require certain attributes to be present e.g.

    (&(uid=foo)(objectclass=posixAccount))

or change the search attribute to mail alias, cn, or potentially an
ORing of these fields:

    (|(uid=$val)(cn=$val)(mail=$val)(mailLocalAddress=$val))

So that you can let them in via any string uniquely identifying their
object.

See RFC-2255 for the details on ldap URL formatting.

Matthew Backes
lucca@csun.edu

References:
- Authentication using DN or uid?
  - From: Kristin Engstrom <Kristin.Engstrom@netiq.com>

Prev by Date: Re: Authentication using DN or uid?
Next by Date: Re: LDAP_PARAM_ERROR sometimes under multithread environment
Index(es):
- Chronological
- Thread