[Date Prev][Date Next]
Re: Logging in without full DN
Thanks for your help, everyone. Given the lack of SASL support, I
think this is looking more and more like a job for our support folks.
Education and scripting could get everyone configured correctly.
The config hack could work, but I'm unsure how well we'd be able to
support it in a production environment at the moment. I'm definitely
filing it away for later use, though. :)
On 10/8/05, Pierangelo Masarati <email@example.com> wrote:
> Given Quanah's comment on SASL availability in most mail clients, and
> keeping in mind that this __IS__ a hack (and a gross one...) you could
> do something like
> database bdb
> suffix dc=example,dc=com
> # ...
> database ldap
> suffix ""
> uri ldap://localhost:9011
> rewriteEngine on
> rewriteContext default
> rewriteRule ".*" "$0,ou=People,dc=example,dc=com" ":@"
> rewriteContext searchResult
> rewriteRule "^((.+),)?ou=People,dc=example,dc=com$" "$2" ":@"
> # These are required for completeness; "suffixmassage" needs work
> # to accept the empty DN
> rewriteContext searchAttrDN alias searchResult
> rewriteContext matchedDN alias searchResult
> rewriteContext searchFilter
> In this case, assuming that your user's DN are of the type
> "uid=foo,ou=People,dc=example,dc=com" all you need to do is configure
> your clients with "uid=foo"; note the leading "uid=" which makes the
> identity token "foo" comply with DN syntax requirements. In principle,
> you could do even more sophisticated stuff, in case the "uid" is not
> present in the RDN, or user DN do not all follow the same pattern. See
> slapd-meta(5) (in 2.2; slapo-rwm(5) in 2.3) for details about writing
> the rules.