[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication using DN or uid?

uid or DN ? That's the question.

I am writing an application that knows already almost all parts of 
the DN, the user supplies the last part of it.

For instance, if we are on the website of example.com, the 
webinterface knows that the user is


Hence, it is fairly easy to authenticate using the DN.
This simplifies ACL's and security, (AFAIK) because acces to certain 
entries can be matched by DN.

However, for some applications it might be needed to authenticate at 
the uid level. For instance ftp or email, the uid used is something 

user@ftp.example.com (for ftp)
or user@example.com (for email).

As far as I understand, the process goes as follows:
1. user tries to authenticate using user@example.com
2. ldapclient needs to be able to search the entire directory or at 
least a ceratin subtree, to find the DN that has this uid.
3. ldapclient needs to rebind using the found DN and the password.

In this model, anonymus search should be allowed; in the first 
model, no anonymous search (and subsequent rebind) is needed since 
we already have the DN.


o> I've been working with LDAP fairly successfully for about six 
months now,
> developing a customized authentication and access control library for a
> larger project.  My libraries need to talk to the widest range of
> directories possible, so I've assumed that those directories will store
> people entries using the lowest common denominator objectclass "person".  
> My question is, do most applications using LDAP for authentication really
> expect users to know and supply their DN to authenticate themselves?  I'm
> surprised that users cannot be identified by a username or uid (unless, of
> course, the directory admin uses the appropriate objectclasses).  Should I
> be assuming that the LCD objectclass for people will always include
> uidObject (or some other object class which has uid required)?  Such an
> assumption would seem risky to me.
> Perhaps I'm misunderstanding the whole LDAP authentication model.  Has
> anyone figured out how to use user-friendly usernames and still have their
> front-end talk to a wide variety of directories (on different platforms)?
> Thanks in advance.  I've been puzzling over this in the back -- and front --
> of my mind for several months.
> Kristin

Ace Suares, Internet Consultancy and Training
Keizersgracht 132,      1015 CW AMSTERDAM, NL
phone: 06 557 06 554    (+31 6 557 06 554) (voicebox)
fax: 08 48 707 705      (+31 84 870 770 5)
mailto:ace@suares.com   http://www.suares.com