[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Logging in without full DN

Thanks for your help, everyone.  Given the lack of SASL support, I
think this is looking more and more like a job for our support folks. 
Education and scripting could get everyone configured correctly.

The config hack could work, but I'm unsure how well we'd be able to
support it in a production environment at the moment.  I'm definitely
filing it away for later use, though.  :)



On 10/8/05, Pierangelo Masarati <ando@sys-net.it> wrote:
> Given Quanah's comment on SASL availability in most mail clients, and
> keeping in mind that this __IS__ a hack (and a gross one...) you could
> do something like
> database bdb
> suffix dc=example,dc=com
> # ...
> database        ldap
> suffix          ""
> uri             ldap://localhost:9011
> rewriteEngine   on
> rewriteContext  default
> rewriteRule     ".*" "$0,ou=People,dc=example,dc=com" ":@"
> rewriteContext  searchResult
> rewriteRule     "^((.+),)?ou=People,dc=example,dc=com$" "$2" ":@"
> # These are required for completeness; "suffixmassage" needs work
> # to accept the empty DN
> rewriteContext  searchAttrDN alias searchResult
> rewriteContext  matchedDN alias searchResult
> rewriteContext  searchFilter
> In this case, assuming that your user's DN are of the type
> "uid=foo,ou=People,dc=example,dc=com" all you need to do is configure
> your clients with "uid=foo"; note the leading "uid=" which makes the
> identity token "foo" comply with DN syntax requirements.  In principle,
> you could do even more sophisticated stuff, in case the "uid" is not
> present in the RDN, or user DN do not all follow the same pattern.  See
> slapd-meta(5) (in 2.2; slapo-rwm(5) in 2.3) for details about writing
> the rules.