[Date Prev][Date Next]
Re: Binding Problems with authentication
At 02:43 PM 7/21/99 -0400, Joe Novielli wrote:
>Thanks Julio and Darryl for a quick response.
>Darryl, my slapd.conf file already indexes the mail attribute.
>Julio: what username should I use then? I've tried several cases.
for Netscape, "email@example.com"... but note that your
ACL doesn't allow anonymous searches (and reading) of this
>I changed a few things. But it still does not respond will any results (I
>know they exist as it works without authentication) (I wish there was a
>standard for all email clients to search/filter/authenticate upon).
>1) Removed givename attribute
>2) Entries no look like (ie: replaced cn with uid in DN):
>cn: Joe Novielli
>status: Active User
>Any other suggestions? Much appreciated and thanks
>FYI: My original message can be found at:
>> > The server doesn't seem to bind DN's for authentication (I tried Netscape,
>> > Eudora email clients).
>>The server does, it is that you are being outsmarted by your clients.
>>that you do not have to remember/type dn's, they make a search, get the
>>dn of the retrieved entry and bind with that dn and the password you
>> > Jul 21 11:47:28 pluton.matrox.com slapd: conn=0 op=1 SRCH
>> > base="LOCATION=DORVAL,O=MATROX,C=CA" scope=2 filter="( |
>> > (cn=*MARK*)(SN=*MARK*)(GN=*MARK*)(GIVENNAME=*MARK*))"
>>See? They are looking for a user with a name containing "MARK". BTW,
>>I never heard of "GN" as a valid alias for "givenName".
>> > Jul 21 11:47:32 pluton.matrox.com slapd: conn=0 op=1 RESULT err=0
>> > tag=101 nentries=0
>>Unfortunately, the search fails (see nentries=0).
>> > Jul 21 11:57:25 pluton.matrox.com slapd: conn=1 op=1 SRCH
>> > base="LOCATION=DORVAL,O=MATROX,C=CA" scope=2 filter="(mail=JNOVIELL,
>> > LOCATION=DORVAL, O=MATROX,C=CA)"
>>In this case, you are trying to write a DN in the login dialog. Notice
>>that the text in the dialog tells you to use the email address. It
>> > -------------------------------------------------------------
>> > The user name I am using is: jnoviell, location=Dorval, o=Matrox,c=CA
>>That would not be a valid dn, the attribute type on the first RDN is
>>missing, you mean "uid=" or maybe "cn=" prepended to that, but don't
>>do it because your clients are expecting something else.
>If I'm not mistaken you're using a client that sends the mail attribute to
>the server which in turn retrieves the DN and sends that back to the
>server (with the user supplied password) in a bind request. This
>could be failing because you have either supplied a value such that the
>filter mail=%v yields a result set with no entries. If your entry has a
>mail attribute, use that value to authenticate (you'll probably want to
>index the mail attribute).