[Date Prev][Date Next] [Chronological] [Thread] [Top]

Authentication using DN or uid?

I've been working with LDAP fairly successfully for about six months now,
developing a customized authentication and access control library for a
larger project.  My libraries need to talk to the widest range of
directories possible, so I've assumed that those directories will store
people entries using the lowest common denominator objectclass "person".  

My question is, do most applications using LDAP for authentication really
expect users to know and supply their DN to authenticate themselves?  I'm
surprised that users cannot be identified by a username or uid (unless, of
course, the directory admin uses the appropriate objectclasses).  Should I
be assuming that the LCD objectclass for people will always include
uidObject (or some other object class which has uid required)?  Such an
assumption would seem risky to me.

Perhaps I'm misunderstanding the whole LDAP authentication model.  Has
anyone figured out how to use user-friendly usernames and still have their
front-end talk to a wide variety of directories (on different platforms)?

Thanks in advance.  I've been puzzling over this in the back -- and front --
of my mind for several months.