[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Logging in without full DN

--On Friday, October 07, 2005 12:27 PM -0700 "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:

A number of SASL mechanisms, including
DIGEST-MD5 (LDAP's mandatory-to-implement "strong"
authentication mechanism), CRAM-MD5, and PLAIN,
support authentication identities in the form of a
simple user name.  OpenLDAP Software supports these
mechanisms through Cyrus SASL.

And, yes, you can map simple user names to DNs.
See authz-regex in slapd.conf(5).

Note, however, you cannot use a simple user name as
the LDAP simple bind name as this is required to be

And of course, I'm not aware of a single email client that supports SASL binds (they all live in the LDAP V2 world). I have open bugs about this against a number of email client software providers (Qualcomm, Apple, Mozilla).

Personally, I'd suggest some level of visibility controls on your data, with which you can then allow anonymous binds to read "world" data. We do this at Stanford, and email clients at this time can only access world data due to the limitations of their bind methods. If the clients are ever updated to use SASL, then they'll be able to get to Stanford views.


Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin