[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with ADS authentication - any alternatives?



Le 15/07/2010 19:56, Dan White a écrit :
On 15/07/10 19:06 +0200, Garry Glendown wrote:
On 12.07.2010 16:14, Dan White wrote:
On 12/07/10 14:43 +0200, Garry Glendown wrote:
After a customer of ours migrated from using a local OpenLDAP server to
using a central ADS, I've run into sort of a problem ...

One of the apps that had been using LDAP to get certain information for
a user has now got a problem as the formerly used bind with the user ID
(which was present in multiple fields, like uid, cn etc.) now fails.
The
customer ADS now has the user name (in the format "First Last") in the
cn field, and as the complete dn in the dn field (with ou=...)
Now, while stuff like Cyrus works fine through looking up the
correct DN
for a specified uid first and then using that DN for binding to the
database, this app still just hands over the input to ADS ... of
course,
bind fails, as the supplied user ID doesn't match either DN or CN.

Do you mean Cyrus SASL or IMAP here? How does your app bind to the LDAP
server? Is it a SASL bind with a username and password?

The app in question does a straight LDAP bind, using the username and pw
entered ...

That suggests to me that it is indeed a SASL bind.

AD does in fact accept plain LDAP binds with a username in place of a DN. Or at least username@domain.tld. It's one of those weird things...

--
--------------------------------------------------------------
Jonathan Clarke - jonathan@phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------