[Date Prev][Date Next] [Chronological] [Thread] [Top]

HOWTO bind with uid only (short name)

I have a corporate white pages directory [using OpenLDAP] which requires
authentication.  My desire is that users, when configuring their ldap
clients, will only need to put in their username and password, but I
have not yet found a way to do this.

Here are some details that might help:

   * Desired binding DN for a user: "username"
   * Current binding DN for a user: "uid=username,dc=example,dc=com"

The directory is perfectly flat.

Here are some additional OpenLDAP specifics with regard to my current
authentication setup:

   * Passwords are backended by kerberos
   * Users may not have a ticket prior to binding, so cn=gssapi,cn=auth
     is not feasible.
   * userPassword is set to "{GSSAPI}username@EXAMPLE.COM"
   * A /usr/lib/sasl2/slapd.conf file is in place, directing GSSAPI ->
     SASL auth requests to saslauthd
   * saslauthd is configured to use PAM
   * /etc/pam.d/ldap (the service that slapd considers itself)

     auth            required        pam_krb5.so ignore_root
     account         required        pam_krb5.so ignore_root
     password        optional        pam_krb5.so ignore_root
     session         optional        pam_krb5.so ignore_root

   * /etc/krb5.conf contains the right bits.

Using this config, users are currently able to bind and authenticate using their kerberos passwords (not tickets).

I've looked into using sasl-regexp, but as that seems to change the sasl
identity, not the bind DN, it does not do what we want. It also appears
unnecessary in our case, as the only way I've found to do authentication
with passwords against either PAM or kerberos directly, is via
saslauthd, which seems to only be invokable when doing auth via
userPassword set to {GSSAPI}$principal.

So, in summary, I would be very interested in the solutions to

   a) how can I have a user specify a bind dn of "username" or even

   b) how can I tell OpenLDAP to authenticate with passwords directly
      against PAM

   c) how can I tell OpenLDAP to allow *anyone* who can authenticate
      against kerberos with a password (perhaps via PAM), without
      even having a per user DN, to bind.



-- Brian Elliott Finley Mobile: 630.631.6621