[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Logging in without full DN

On Fri, 2005-10-07 at 13:00 -0700, Quanah Gibson-Mount wrote:
> --On Friday, October 07, 2005 12:27 PM -0700 "Kurt D. Zeilenga" 
> <Kurt@OpenLDAP.org> wrote:
> > A number of SASL mechanisms, including
> > DIGEST-MD5 (LDAP's mandatory-to-implement "strong"
> > authentication mechanism), CRAM-MD5, and PLAIN,
> > support authentication identities in the form of a
> > simple user name.  OpenLDAP Software supports these
> > mechanisms through Cyrus SASL.
> >
> > And, yes, you can map simple user names to DNs.
> > See authz-regex in slapd.conf(5).
> >
> > Note, however, you cannot use a simple user name as
> > the LDAP simple bind name as this is required to be
> > an LDAP DN.
> And of course, I'm not aware of a single email client that supports SASL 
> binds (they all live in the LDAP V2 world).  I have open bugs about this 
> against a number of email client software providers (Qualcomm, Apple, 
> Mozilla).

Given Quanah's comment on SASL availability in most mail clients, and
keeping in mind that this __IS__ a hack (and a gross one...) you could
do something like

database bdb
suffix dc=example,dc=com
# ...

database        ldap
suffix          ""
uri             ldap://localhost:9011
rewriteEngine   on
rewriteContext  default
rewriteRule     ".*" "$0,ou=People,dc=example,dc=com" ":@"
rewriteContext  searchResult
rewriteRule     "^((.+),)?ou=People,dc=example,dc=com$" "$2" ":@"
# These are required for completeness; "suffixmassage" needs work
# to accept the empty DN
rewriteContext  searchAttrDN alias searchResult
rewriteContext  matchedDN alias searchResult
rewriteContext  searchFilter

In this case, assuming that your user's DN are of the type
"uid=foo,ou=People,dc=example,dc=com" all you need to do is configure
your clients with "uid=foo"; note the leading "uid=" which makes the
identity token "foo" comply with DN syntax requirements.  In principle,
you could do even more sophisticated stuff, in case the "uid" is not
present in the RDN, or user DN do not all follow the same pattern.  See
slapd-meta(5) (in 2.2; slapo-rwm(5) in 2.3) for details about writing
the rules.


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497