Re: rewrite a login into a dn in simple bind

[Ace Suares <ace@suares.nl>]

Hi,

Sorry if I don't understand the problem well enough, but let me try to explain 
what I think you could do, by giving an example:


I am using a php/apache webpage to login to the ldap server, to let people 
change their email password.

The most easy way is to let people enter their emailaddress (which is 
identical to the uid in my case), bind anonymous to find the dn, and rebind 
with the found dn and the password.

However, that's not possible you say, because an anonymous bind can not search 
through the ldap database because of your boss' constraints.

A way out could be to make a seperate tree (or an entirely seperate database) 
where you store the dn and the uid, and since you control that database, you 
can give access to it by anonymous, to find the dn, and then bind to the 
'real' database with the found dn and the password.
Obviously, keeping the second database in sync with the main database will be 
a pain. It could be done, but it seems there are various obstacles in your 
way.

Then, since you are talking about rewriting the dn, there must be a one-to-one 
relationship between dn and uid. For instance, entries like:

dn: xyz=$UID,ou=people,dc=example,dc=com
cn: Babs Jensen for President!
uid: $UID

where the UID (in attibute uid) is an exact part of the dn.
Your application then can easily construct a dn from a uid.

If there is no one-to-one mapping of uid's and dn's, could you tell me how you 
envision 'rewriting' ?

_ace

-- 
Ace Suares' Internet Consultancy
website: http://www.suares.nl * http://www.qwikzite.nl