[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bind with alternative DN pattern



On Friday, 13 January 2012 01:30:59 Mathias wrote:
> Hi,
> 
> I have trouble understanding a rather simple LDAP config issue that
> I'm sure someone on this list can easily help with:
> 
> How do I add a (or change the) pattern of the bind DN that slapd lets
> me authenticate with?
> 
> I have a working slapd setup that I can happily bind to using DNs of
> the form "cn=Bob Parr,dc=example,dc=com". However, all accounts also
> have a unique "uid" attribute that I would like to use in addition to
> (or, if not possible, instead of) the "cn"-based RDN for binding.

The DN should not be relevant to end-users. Applications using simple binds 
should be configurable on which attribute to search on to identify the DN with 
which to bind. DN construction, or other methods should be avoided.

> So, I'd like to (also) bind using the DN "uid=bob,dc=example,dc=com".
> My understanding is that one entry can have several DNs as long as
> each one is unambiguous.

False.

> Shouldn't I be able to bind with anyone of
> these?

An entry has one DN.

You may be able to rewrite DNs from one form to another, but then why not just 
configure your applications correctly?

> I have spent hours on searching for documentation on this and turned
> up surprisingly little. The problem is not an ACL issue since the
> logged error when trying a "uid"-based bind is "DB_NOTFOUND: No
> matching key/data pair found" rather than anything else...
> 
> I'd be _very_ grateful for any pointers on this...

Why is the DN form so important to you?

Regards,
Buchan