[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Multiple uid's?

To: R V <arveee@gmail.com>
Subject: Re: Multiple uid's?
From: Dan White <dwhite@olp.net>
Date: Fri, 15 Mar 2013 13:54:57 -0500
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <CACL4A+bu1xKsoR407CAiwBSFNtUhmZK4z1rYsJXyOCbi4ptJ+A@mail.gmail.com>
References: <CACL4A+bu1xKsoR407CAiwBSFNtUhmZK4z1rYsJXyOCbi4ptJ+A@mail.gmail.com>
User-agent: Mutt/1.5.21 (2010-09-15)

On 03/15/13 10:24 -0700, R V wrote:

Is there a alias entry that can be used for authentication?   Basically I
am looking for away to allow a user record to have multiple uid's.

Example:

uid johnsmith
uid jsmith

Trying to bring multiple services under one authentication method.   The
challenging part, some services have varying usernames as list above.
Which unfortunately  can not be changed.


uid is a multi-valued attribute, so you could specify it multiple
times. We chose to create a custom attribute for alternative uids in our
setup, so that we could easily normalize usernames.

For sasl binds, you can do this in your config:

authz-regexp
  "uid=([^,]+),cn=example.net,cn=[^,]+,cn=auth"
  ldap:///ou=people,dc=example,dc=net??one?(&(customAltUid=$1)(!(customAccountStatus=suspended)))

where 'customAltUID' and 'customAccountStatus' are custom attributes. We
also include the uid value into the multi-valued customAltUID entry, but we
could have just as easily not done that, and created a filter to search
both uid and customAltUid.

We do not support direct non-sasl binds, which this approach doesn't
support - unless the software doing the bind supports a two-step bind
process where it searches for the dn (using customAltUid in its filter),
then binds as the dn.

--
Dan White

References:
- Multiple uid's?
  - From: R V <arveee@gmail.com>

Prev by Date: Re: Encryption or hash for password?
Next by Date: Re: ldap.conf clarification
Index(es):
- Chronological
- Thread