[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bind with alternative DN pattern

On 01/13/12 00:30 +0100, Mathias wrote:

I have trouble understanding a rather simple LDAP config issue that
I'm sure someone on this list can easily help with:

How do I add a (or change the) pattern of the bind DN that slapd lets
me authenticate with?

I have a working slapd setup that I can happily bind to using DNs of
the form "cn=Bob Parr,dc=example,dc=com". However, all accounts also
have a unique "uid" attribute that I would like to use in addition to
(or, if not possible, instead of) the "cn"-based RDN for binding.
So, I'd like to (also) bind using the DN "uid=bob,dc=example,dc=com".
My understanding is that one entry can have several DNs as long as
each one is unambiguous. Shouldn't I be able to bind with anyone of

I have spent hours on searching for documentation on this and turned
up surprisingly little. The problem is not an ACL issue since the
logged error when trying a "uid"-based bind is "DB_NOTFOUND: No
matching key/data pair found" rather than anything else...

I'd be _very_ grateful for any pointers on this...


Each entry within your tree has a unique DN which must be used when
performing simple binds. If you'd like to change the DN, you can use the
ldapmodrdn utility:

ldapmodrdn -x -D "your admin DN" "cn=Bob Parr,dc=example,dc=com" "uid=bob"

which would rename your DN for that entry. The DN will of course need to be
unique. You could not have two uid=bob entries, under the same hierarchy.

If you need more flexibility in mapping authentication identities to DNs,
try using SASL.

Dan White