[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Logging in without full DN

A number of SASL mechanisms, including
DIGEST-MD5 (LDAP's mandatory-to-implement "strong"
authentication mechanism), CRAM-MD5, and PLAIN,
support authentication identities in the form of a
simple user name.  OpenLDAP Software supports these
mechanisms through Cyrus SASL.

And, yes, you can map simple user names to DNs.
See authz-regex in slapd.conf(5).

Note, however, you cannot use a simple user name as
the LDAP simple bind name as this is required to be


At 12:00 PM 10/7/2005, Sean Hussey wrote:
>Hi everyone,
>We're chugging along, unifying our databases and old LDAP installation
>with our new Unified LDAP solution.  Everything's going great.
>One of the new policies we have is to not allow anonymous lookups for
>address book searches.
>The issue with this is that our client base is...opposed to change. 
>Now, they would happily comply if all they had to do was put their
>username and password somewhere, but putting in the full DN?  I think
>there would be more typo'ed configs that not.
>Now, I've heard that you can configure OpenLDAP such that binding as
>"seanhussey" would alias to
>Was I dreaming, or is this possible?
>We're on 2.2.28 right now, but I'm in the middle of upgrading to 2.2.29.