[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Logging in without full DN

To: openldap-software@OpenLDAP.org
Subject: Re: Logging in without full DN
From: Sean Hussey <seanhussey@gmail.com>
Date: Mon, 17 Oct 2005 11:16:55 -0400
Content-disposition: inline
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Vy9sUC+YmL6130bkpFH4nl2vYiV+WxhVblpphHmIhZdEg9hyRZ26EUdKp4frdVJB/bxL3UwPpKsI/SBVq9YDZgjqtbFb8xT9poiIexT0e8IfMHlD7jFbXZAzZNjq8L/mGRcizKv0C5NRqoKfeLd/ZxgGlD5AL6HLAQ2ivmvOAYI=
In-reply-to: <1128758668.3715.10.camel@ando>
References: <c89c8a510510071200w30dfb084u1412d4ed60a020f5@mail.gmail.com> <6.2.1.2.0.20051007121942.03119b48@mail.openldap.org> <830020F91A6ADB8AE64DB6A3@cadabra-dsl.stanford.edu> <1128758668.3715.10.camel@ando>

Thanks for your help, everyone.  Given the lack of SASL support, I
think this is looking more and more like a job for our support folks. 
Education and scripting could get everyone configured correctly.

The config hack could work, but I'm unsure how well we'd be able to
support it in a production environment at the moment.  I'm definitely
filing it away for later use, though.  :)

Thanks!

Sean

On 10/8/05, Pierangelo Masarati <ando@sys-net.it> wrote:
> Given Quanah's comment on SASL availability in most mail clients, and
> keeping in mind that this __IS__ a hack (and a gross one...) you could
> do something like
>
> database bdb
> suffix dc=example,dc=com
> # ...
>
> database        ldap
> suffix          ""
> uri             ldap://localhost:9011
> rewriteEngine   on
> rewriteContext  default
> rewriteRule     ".*" "$0,ou=People,dc=example,dc=com" ":@"
> rewriteContext  searchResult
> rewriteRule     "^((.+),)?ou=People,dc=example,dc=com$" "$2" ":@"
> # These are required for completeness; "suffixmassage" needs work
> # to accept the empty DN
> rewriteContext  searchAttrDN alias searchResult
> rewriteContext  matchedDN alias searchResult
> rewriteContext  searchFilter
>
> In this case, assuming that your user's DN are of the type
> "uid=foo,ou=People,dc=example,dc=com" all you need to do is configure
> your clients with "uid=foo"; note the leading "uid=" which makes the
> identity token "foo" comply with DN syntax requirements.  In principle,
> you could do even more sophisticated stuff, in case the "uid" is not
> present in the RDN, or user DN do not all follow the same pattern.  See
> slapd-meta(5) (in 2.2; slapo-rwm(5) in 2.3) for details about writing
> the rules.

References:
- Logging in without full DN
  - From: Sean Hussey <seanhussey@gmail.com>
- Re: Logging in without full DN
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: Logging in without full DN
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: Logging in without full DN
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Replicate with different network interfaces ?
Next by Date: RE: SyncRepl Problems
Index(es):
- Chronological
- Thread