[Date Prev][Date Next]
Re: Authenticate to slapd using attribute other than DN
Use a SASL mechanism that supports the desired credential form.
At 04:13 PM 6/5/2006, ryan woodsmall wrote:
>Forgive me if I'm missing something blatantly obvious, but I'm
>nearing completion on a project to set up the OpenLDAP slapd to proxy
>against MS Active Directory servers. This in itself was a pretty
>large task, but I've got something working nicely, and I'm most of
>the way there. I have much messy Perl code to generate an OpenLDAP- compatible schema file from an Active Directory schema partition LDIF
>What I'm currently stuck on is using an attribute other than the
>Distinguished Name attribute to bind to my slapd instance(s). I've
>gotten to the point where I can pull AD-specific attributes proxy-ing
>through my OpenLDAP servers. The problem is that, for the sake of
>ease-of-use, we want to be able to bind to slapd using something a
>little nicer than the DN. Read this as "Our Windows and Mac users
>want to be able to bind to the proxy using AD's 'sAMAccountName'
>attribute or something as simple as the 'userPrincipalName'
>attribute." They don't know their DNs and they don't really want to,
>which creates a bit of a burden on me.
>Currently, my OpenLDAP proxy server works fine when using a DN to
>bind. I'm guessing that I need to use one of the authz-* directives
>for slapd.conf/slapd-ldap to massage the data I'm sent into a usable
>DN with which to bind. Is this the case? Can anyone recommend
>something or send a snippet of their config if they're doing
>I'm not sure that it's all that relevant, but I'm using a repackaged
>Red Hat source RPM from Fedora Core 5 that I rebuilt on Red Hat
>Enterprise 4. I am currently running OpenLDAP version 2.3.19.
>Everything seems stable and is working much better than I
>anticipated, given Red Hat's somewhat specious record with previous
>If I can solve this one hang-up, I think I'm golden. Thanks for any
> ryan woodsmall
>"Be well, do good work, and keep in touch." - Garrison Keillor