[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: HOWTO bind with uid only (short name)

Brian Elliott Finley wrote:
I have a corporate white pages directory [using OpenLDAP] which requires
authentication.  My desire is that users, when configuring their ldap
clients, will only need to put in their username and password, but I
have not yet found a way to do this.

Here are some details that might help:

   * Desired binding DN for a user: "username"
   * Current binding DN for a user: "uid=username,dc=example,dc=com"

The directory is perfectly flat.

The only standards-compliant way to Bind with a simple username is using SASL Binds.

Since you're using Kerberos anyway, SASL/GSSAPI is the logical choice.

Here are some additional OpenLDAP specifics with regard to my current
authentication setup:

   * Passwords are backended by kerberos
   * Users may not have a ticket prior to binding, so cn=gssapi,cn=auth
     is not feasible.

Then there is no simple solution. Write wrappers for your clients that check to make sure a TGT exists before binding, doing the appropriate initial authentication step if not.

* userPassword is set to "{GSSAPI}username@EXAMPLE.COM"

You probably mean {SASL} as there is no {GSSAPI} password mechanism in OpenLDAP.

  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/