[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authenticate to slapd using attribute other than DN

Use a SASL mechanism that supports the desired credential form.

At 04:13 PM 6/5/2006, ryan woodsmall wrote:
>Forgive me if I'm missing something blatantly obvious, but I'm  
>nearing completion on a project to set up the OpenLDAP slapd to proxy  
>against MS Active Directory servers.  This in itself was a pretty  
>large task, but I've got something working nicely, and I'm most of  
>the way there.  I have much messy Perl code to generate an OpenLDAP- compatible schema file from an Active Directory schema partition LDIF  
>What I'm currently stuck on is using an attribute other than the  
>Distinguished Name attribute to bind to my slapd instance(s).  I've  
>gotten to the point where I can pull AD-specific attributes proxy-ing  
>through my OpenLDAP servers.  The problem is that, for the sake of  
>ease-of-use, we want to be able to bind to slapd using something a  
>little nicer than the DN.  Read this as "Our Windows and Mac users  
>want to be able to bind to the proxy using AD's 'sAMAccountName'   
>attribute or something as simple as the 'userPrincipalName'  
>attribute."  They don't know their DNs and they don't really want to,  
>which creates a bit of a burden on me.
>Currently, my OpenLDAP proxy server works fine when using a DN to  
>bind.  I'm guessing that I need to use one of the authz-* directives  
>for slapd.conf/slapd-ldap to massage the data I'm sent into a usable  
>DN with which to bind.  Is this the case?  Can anyone recommend  
>something or send a snippet of their config if they're doing  
>something simple?
>I'm not sure that it's all that relevant, but I'm using a repackaged  
>Red Hat source RPM from Fedora Core 5 that I rebuilt on Red Hat  
>Enterprise 4.  I am currently running OpenLDAP version 2.3.19.   
>Everything seems stable and is working much better than I  
>anticipated, given Red Hat's somewhat specious record with previous  
>OpenLDAP versions.
>If I can solve this one hang-up, I think I'm golden.  Thanks for any  
>  ryan woodsmall
>    rwoodsmall@mac.com
>"Be well, do good work, and keep in touch." - Garrison Keillor