[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authenticate to slapd using attribute other than DN

--On Monday, June 05, 2006 6:13 PM -0500 ryan woodsmall <rwoodsmall@mac.com> wrote:

Forgive me if I'm missing something blatantly obvious, but I'm  nearing
completion on a project to set up the OpenLDAP slapd to proxy  against MS
Active Directory servers.  This in itself was a pretty  large task, but
I've got something working nicely, and I'm most of  the way there.  I
have much messy Perl code to generate an OpenLDAP- compatible schema file
from an Active Directory schema partition LDIF  dump.

What I'm currently stuck on is using an attribute other than the
Distinguished Name attribute to bind to my slapd instance(s).  I've
gotten to the point where I can pull AD-specific attributes proxy-ing
through my OpenLDAP servers.  The problem is that, for the sake of
ease-of-use, we want to be able to bind to slapd using something a
little nicer than the DN.  Read this as "Our Windows and Mac users  want
to be able to bind to the proxy using AD's 'sAMAccountName'   attribute
or something as simple as the 'userPrincipalName'  attribute."  They
don't know their DNs and they don't really want to,  which creates a bit
of a burden on me.

Currently, my OpenLDAP proxy server works fine when using a DN to  bind.
I'm guessing that I need to use one of the authz-* directives  for
slapd.conf/slapd-ldap to massage the data I'm sent into a usable  DN with
which to bind.  Is this the case?  Can anyone recommend  something or
send a snippet of their config if they're doing  something simple?

I'm not sure that it's all that relevant, but I'm using a repackaged  Red
Hat source RPM from Fedora Core 5 that I rebuilt on Red Hat  Enterprise
4.  I am currently running OpenLDAP version 2.3.19.   Everything seems
stable and is working much better than I  anticipated, given Red Hat's
somewhat specious record with previous  OpenLDAP versions.

If I can solve this one hang-up, I think I'm golden.  Thanks for any

Use a SASL mechanism like GSSAPI.


Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html