[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP Authentication by E-Mail Address

ons, 2003-01-29 kl. 21:50 skrev Thomas J. Baker:

> I have a working LDAP server which can be queried by Evolution (Linux
> EMail Client) when authenticating with a DN. Assuming this is an ACL
> problem, what other ACLs would I need to allow authenticating by email
> address?

Sorry, I could have answered elsewhere ;)

I think you'll find that the fault is Evo's. It's there you have the
choice of authenticating with an e-mail address or a DN. However, that's
the Evo developer's fault, since only simple binds are allowed - even
SSL/TLS don't work as they should.

You have to bind to the ldap server with a DN; after you are
authenticated, then and only then does your e-mail address become
apparent. Look at it another way: If you bind anonymously and you either
don't have an e-mail address or ACLs prohibit non-authenticated entities
from viewing it, how can you authenticate? Your credentials are your DN
and password.

That being said, I learned the PHP that I do know partly out of a Wrox
book.The chapter on LDAP included stuff about how you program a "Myorg"
client for a "Myorg" directory. There, the funnies have different DNs.
One was:
dn="mail=mm@tubeforever.com,ou=pers,dc=myorg,dc=us". However, even then
that funny would still have to authenticate with its full DN - and
password.The only place that wouldn't apply is with a SASL bind using a
realm - but that comes later.

If you can, use GQ (www.biot.com for the latest, or your install CD) to
find things out. As well as a 'tail -f' on slapd.log at d256 while
you're trying things. You'd be surprised at how much easier trouble
shooting becomes.




Tony Earnshaw

When all's said and done ...
there's nothing left to say or do.

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl