[Date Prev][Date Next]
Re: Authenticate to slapd using attribute other than DN
--On Monday, June 05, 2006 6:13 PM -0500 ryan woodsmall
Forgive me if I'm missing something blatantly obvious, but I'm nearing
completion on a project to set up the OpenLDAP slapd to proxy against MS
Active Directory servers. This in itself was a pretty large task, but
I've got something working nicely, and I'm most of the way there. I
have much messy Perl code to generate an OpenLDAP- compatible schema file
from an Active Directory schema partition LDIF dump.
What I'm currently stuck on is using an attribute other than the
Distinguished Name attribute to bind to my slapd instance(s). I've
gotten to the point where I can pull AD-specific attributes proxy-ing
through my OpenLDAP servers. The problem is that, for the sake of
ease-of-use, we want to be able to bind to slapd using something a
little nicer than the DN. Read this as "Our Windows and Mac users want
to be able to bind to the proxy using AD's 'sAMAccountName' attribute
or something as simple as the 'userPrincipalName' attribute." They
don't know their DNs and they don't really want to, which creates a bit
of a burden on me.
Currently, my OpenLDAP proxy server works fine when using a DN to bind.
I'm guessing that I need to use one of the authz-* directives for
slapd.conf/slapd-ldap to massage the data I'm sent into a usable DN with
which to bind. Is this the case? Can anyone recommend something or
send a snippet of their config if they're doing something simple?
I'm not sure that it's all that relevant, but I'm using a repackaged Red
Hat source RPM from Fedora Core 5 that I rebuilt on Red Hat Enterprise
4. I am currently running OpenLDAP version 2.3.19. Everything seems
stable and is working much better than I anticipated, given Red Hat's
somewhat specious record with previous OpenLDAP versions.
If I can solve this one hang-up, I think I'm golden. Thanks for any
Use a SASL mechanism like GSSAPI.
Principal Software Developer
ITS/Shared Application Services
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html