[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: Question about OpenLDAP and rwm overlay
- To: Dieter Kluenter <dieter@dkluenter.de>
- Subject: RE: Question about OpenLDAP and rwm overlay
- From: "Vandenburgh, Steve Y" <Steve.Vandenburgh@centurylink.com>
- Date: Tue, 29 Oct 2019 03:55:09 +0000
- Accept-language: en-US
- Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=centurylink.com; dmarc=pass action=none header.from=centurylink.com; dkim=pass header.d=centurylink.com; arc=none
- Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2KnsdHKglXx2l9fnRfbb7aC5VqFZxry/t9a98e9TbHo=; b=T3Je0AL7HKusBNd0auwOtmGt3Zj6YnjPtxutQOSiGe+losoNHfesIJDZ21oQXOWPbkgqFG8WD8f8492ewnA/xAKAJoUb/WmLscuyvZ8rdjs9CEunC3rgl6L6i6omI/X+9uX2mrnpsrqN7512ZrPf4oJtFHv3oxGMx3shsPx+TiHj123T8ikU+gg6/vqVbSXEDysfW5KDTJhyayuNFRTLSBoawZuOhhKkkzHRHk9PYvhIY+TR1wgrPdZww8HNES7g4SNSSdWhsuEtIh3vTFYVfOP3isV78jT5ufxfqroysxTwt0LTReFsNEb+yrVpK7L35srzpDJnn+QnTDBL8U+zEw==
- Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JTIaJptA+xoqifm3tEdHhp7zzb2FqBEYBGw+PGubhY5DyuTbpT/lPted0KGV0XVG3ygbdW96MednEu2J3mmiZAnbNaS68riz4PEkok6TDE888sPE8GToQnn11WQ48TvEhN0NtWHfSSRvolc7i3v8UmRmFCAL+Wp6Yc2MUZO5avQV2CPUqj9JAK0cttJBGJbFp8CaNiF5JDMLIkSUT7hhoIen2y+xBcd+G7Be00vMWdEu4vEZ3+wliVJXD5jUw7LQ3hI2rGsXy1svBiQJIhLOTgvgnSk6d8PyIkHsnwjmGd32EGy3q1DrFvRNew9rFafd29PbBuRtyBwH6qrb5uopiA==
- Authentication-results: spf=none (sender IP is ) smtp.mailfrom=Steve.Vandenburgh@centurylink.com;
- Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
- Content-language: en-US
- Dkim-filter: OpenDKIM Filter v2.11.0 lxomp52w.centurylink.com x9T3tHB0060931
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=centurylink.com; s=default; t=1572321318; bh=7jDIJt0uVbduP0wX4VAWofwtRMvVFKNd+hBbajZAko4=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=blRhLvZ9RrgXI3I6cqjHKIPVIe6ewN7xBZ2cyOlpJuJZqvziIFd/mWAnqzS6Tlx93 tYwgvzh/z+QJryIVkjEEnn1lImCl8tNZlciube/tBnl5VWUgyN1TjQYzH0uN31FMiQ yqXPUyoOqzvVfFuyC0ML0OwqU4WlFOO1jUIjVH6g=
- In-reply-to: <87zhhkr9qn.fsf@pink.fritz.box>
- References: <BN7PR02MB3938806E548A066A7C8E24DAF4640@BN7PR02MB3938.namprd02.prod.outlook.com> <20191026202739.4a2cfed3@pink.fritz.box> <EC89FCC762466F6DF7F62D2D@[192.168.1.144]> <BN7PR02MB3938DF22E38CC952A12A777CF4660@BN7PR02MB3938.namprd02.prod.outlook.com> <87zhhkr9qn.fsf@pink.fritz.box>
- Thread-index: AdWLlE3Oy/YAo7/+RAi9SwUqCXrWHwAlr4yAAAMfAIAAYhIDBQATBh1Q
- Thread-topic: Question about OpenLDAP and rwm overlay
Thanks Dieter. I'm trying to perform a simple bind operation with a UPN and password. Based on this OpenLDAP mail archive: https://openldap-technical.openldap.narkive.com/8IrfS6xa/binding-with-an-e-mail-address authid-rewrite or olcAuthIdRewrite can only be used to modify the DN for SASL or certificate-based authentication; it can't be used to modify simple bind DNs. Is that still the case? Or is this information now out of date.
Thanks again,
Steve Vandenburgh
LDAP Directory Services/Identity Management
CenturyLink
(720)738-2688
-----Original Message-----
From: Dieter Kluenter <dieter@dkluenter.de>
Sent: Monday, October 28, 2019 12:44 PM
To: Vandenburgh, Steve Y <Steve.Vandenburgh@centurylink.com>
Cc: openldap-technical@openldap.org
Subject: Re: Question about OpenLDAP and rwm overlay
"Vandenburgh, Steve Y" <Steve.Vandenburgh@centurylink.com> writes:
> Thanks for the tip Quanah (and Dieter). I have added the MSUser
> schema to the configuration. However, I'm still getting the same
> behavior. If I use a bind DN like
>
> Mail=myname@mycompany.com
>
> which is potentially a valid DN, the rewriting is applied; however if
> the bind DN is just the email address e.g.
>
> myname@mycompany.com
>
> then the OpenLDAP returns error 34 (invalid DN). So before I do more
> troubleshooting, I wanted to ask if the rewrite rules can be applied
> before the syntax check on the bind DN is done. If the OpenLDAP
> server always performs the syntax check on the DN before any rewrite
> rules are applied, then what I'm trying to accomplish (using a
> Microsoft UPN bind DN) cannot be done.
For this sort of DN rewriting slapd.conf(5) provides 'authid-rewrite' or 'olcAuthIdRewrite' in slapd-config(5).
-Dieter
--
Dieter Klünter | Systemberatung
https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%2fsys4.de&umid=BF35EA59-95FC-E405-A296-EA371276D9A5&auth=19120be9529b25014b618505cb01789c5433dae7-d57a36d411cd972d033d00376dd4c373c462277f
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.