Re: LDAP Authentication by E-Mail Address

[Tony Earnshaw <tonni@billy.demon.nl>]

ons, 2003-01-29 kl. 21:50 skrev Thomas J. Baker:

> I have a working LDAP server which can be queried by Evolution (Linux
> EMail Client) when authenticating with a DN. Assuming this is an ACL
> problem, what other ACLs would I need to allow authenticating by email
> address?

Sorry, I could have answered elsewhere ;)

I think you'll find that the fault is Evo's. It's there you have the
choice of authenticating with an e-mail address or a DN. However, that's
the Evo developer's fault, since only simple binds are allowed - even
SSL/TLS don't work as they should.

You have to bind to the ldap server with a DN; after you are
authenticated, then and only then does your e-mail address become
apparent. Look at it another way: If you bind anonymously and you either
don't have an e-mail address or ACLs prohibit non-authenticated entities
from viewing it, how can you authenticate? Your credentials are your DN
and password.

That being said, I learned the PHP that I do know partly out of a Wrox
book.The chapter on LDAP included stuff about how you program a "Myorg"
client for a "Myorg" directory. There, the funnies have different DNs.
One was:
dn="mail=mm@tubeforever.com,ou=pers,dc=myorg,dc=us". However, even then
that funny would still have to authenticate with its full DN - and
password.The only place that wouldn't apply is with a SASL bind using a
realm - but that comes later.

If you can, use GQ (www.biot.com for the latest, or your install CD) to
find things out. As well as a 'tail -f' on slapd.log at d256 while
you're trying things. You'd be surprised at how much easier trouble
shooting becomes.

Best,

Tony

-- 

Tony Earnshaw

When all's said and done ...
there's nothing left to say or do.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl