[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: HOWTO bind with uid only (short name)

Thus spake Howard Chu (hyc@symas.com):
Brian Elliott Finley wrote:
I have a corporate white pages directory [using OpenLDAP] which requires
authentication.  My desire is that users, when configuring their ldap
clients, will only need to put in their username and password, but I
have not yet found a way to do this.

Here are some details that might help:

   * Desired binding DN for a user: "username"
   * Current binding DN for a user: "uid=username,dc=example,dc=com"

The directory is perfectly flat.

The only standards-compliant way to Bind with a simple username is using SASL Binds.

Since you're using Kerberos anyway, SASL/GSSAPI is the logical choice.

Here are some additional OpenLDAP specifics with regard to my current
authentication setup:

   * Passwords are backended by kerberos
   * Users may not have a ticket prior to binding, so cn=gssapi,cn=auth
     is not feasible.

Then there is no simple solution. Write wrappers for your clients that check to make sure a TGT exists before binding, doing the appropriate initial authentication step if not.

Bummer. Wrappers will not be feasible in this case, as the clients may vary far and wide. Some may not even be configured to use kerberos.

* userPassword is set to "{GSSAPI}username@EXAMPLE.COM"

You probably mean {SASL} as there is no {GSSAPI} password mechanism in OpenLDAP.

Yes. You are correct. And to be perfectly clear for archival purposes, I have userPassword set to "{SASL}username@EXAMPLE.COM".



  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/

-- Brian Elliott Finley Mobile: 630.631.6621