[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Binding Problems with authentication

To: openldap-software@OpenLDAP.org
Subject: Re: Binding Problems with authentication
From: Joe Novielli <jnoviell@matrox.com>
Date: Wed, 21 Jul 1999 14:43:15 -0400
Cc: ldap@umich.edu
In-reply-to: <3795F998.50DF4974@stl.es>
References: <4.2.0.58.19990721113001.039419c0@coyote.matrox.com>

Thanks Julio and Darryl for a quick response.

Darryl, my slapd.conf file already indexes the mail attribute.

Julio: what username should I use then? I've tried several cases.

I changed a few things. But it still does not respond will any results (I know they exist as it works without authentication) (I wish there was a standard for all email clients to search/filter/authenticate upon).

Changes made:
1) Removed givename attribute
2) Entries no look like (ie: replaced cn with uid in DN):

dn: uid=jnoviell,location=Dorval,o=Matrox,c=CA
objectclass: Person
username: jnoviell
cn: Joe Novielli
uid: jnoviell
mail: jnoviell@matrox.com
location: Dorval
sn: Novielli
userPassword: {crypt}DferPKChVn9Y
telephoneNumber:xxx-xxxx ext:yyy
status: Active User

Any other suggestions? Much appreciated and thanks FYI: My original message can be found at: http://www.openldap.com/lists/openldap-software/9907/msg00127.html


Julio Wrote

> The server doesn't seem to bind DN's for authentication (I tried Netscape,
> Eudora email clients).

The server does, it is that you are being outsmarted by your clients.
So
that you do not have to remember/type dn's, they make a search, get the
dn of the retrieved entry and bind with that dn and the password you
give.

> Jul 21 11:47:28 pluton.matrox.com slapd[10166]: conn=0 op=1 SRCH
> base="LOCATION=DORVAL,O=MATROX,C=CA" scope=2 filter="( |
> (cn=*MARK*)(SN=*MARK*)(GN=*MARK*)(GIVENNAME=*MARK*))"

See? They are looking for a user with a name containing "MARK".  BTW,
I never heard of "GN" as a valid alias for "givenName".

> Jul 21 11:47:32 pluton.matrox.com slapd[10166]: conn=0 op=1 RESULT err=0
> tag=101 nentries=0

Unfortunately, the search fails (see nentries=0).

> Jul 21 11:57:25 pluton.matrox.com slapd[10166]: conn=1 op=1 SRCH
> base="LOCATION=DORVAL,O=MATROX,C=CA" scope=2 filter="(mail=JNOVIELL,
> LOCATION=DORVAL, O=MATROX,C=CA)"

In this case, you are trying to write a DN in the login dialog.  Notice
that the text in the dialog tells you to use the email address.  It
means it.

> -------------------------------------------------------------
> The user name I am using is:  jnoviell, location=Dorval, o=Matrox,c=CA

That would not be a valid dn, the attribute type on the first RDN is
missing, you mean "uid=" or maybe "cn=" prepended to that, but don't
do it because your clients are expecting something else.

Julio


###################################################
Darryl Wrote

If I'm not mistaken you're using a client that sends the mail attribute to
the server which in turn retrieves the DN and sends that back to the
server (with the user supplied password) in a bind request. This
could be failing because you have either supplied a value such that the
filter mail=%v yields a result set with no entries. If your entry has a
mail attribute, use that value to authenticate (you'll probably want to
index the mail attribute).

Follow-Ups:
- Re: Binding Problems with authentication
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Binding Problems with authentication
  - From: Joe Novielli <jnoviell@matrox.com>
- Re: Binding Problems with authentication
  - From: Julio Sánchez Fernández <j_sanchez@stl.es>

Prev by Date: Re: jpegPhoto in ldif file
Next by Date: My first LDAP attempt...
Index(es):
- Chronological
- Thread