Re: Binding Problems with authentication

[Jeff Clowser <jclowser@aerotek.com>]

> Clients should just bind to DNs... leaving "friendly" DN mappings
> to the server implementations...  Clients that don't allow users
> to specify a bind DN are flawed.

I don't necessarily agree.  Many of the LDAP books
and docs I've seen state that you want to isolate
your users from seeing the DN, and give plenty of
good reasons why.

As an example, though, lets take the Linux nss
stuff that allows you to manage your accounts via
LDAP.  Unix login supports a uid, not a DN, which
must be translated to a dn.  In a three tier approach
such as this, the middle tier may bind as some
non-anonymous dn to do the initial uid->dn lookup, which
would be configed by the linux admin, but the user
will never enter a dn at the login prompt.  Same
goes for any other service that auths on the backend
to LDAP - pop and imap servers, web servers, etc -
the service or protocol backending to LDAP for it's
user database may not support the user entering a dn.

I will agree, though, that any middle tier software
that does not allow you to give a bind dn to use
instead of anonymous is not as full featured as it
should be :-)

--
 Jeff Clowser
 mailto:jclowser@aerotek.com       Hanover MD  21076 USA
 Phone: (410)-579-4328             7312 Parkway Drive