(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Integration : (Category) iPlanet (Sun/Netscape) Applications : (Answer) How does LDAP authentication works in Netscape Communicator 4.x?
This document explains how LDAP authentication in Communicator 4.x works:
http://developer.netscape.com/docs/manuals/communicator/ldap45.htm#authentication

Netscape's Address book has a peculiar way of retrieving data from LDAP. This doesn't really rear its ugly head when unauthenticated users are allowed to retrieve and read entries but it will give you grey hair when you secure your server by requiring authentication.

Under the guise of making it easier for the user you don't log in with your DN and password. You use your email address. The following things will happen:

  • Netscape binds anonymously to the LDAP server and executes a search for a DN for the email address given
  • With the DN retrieved it will contact the server again and bind using that DN and the password you provided earlier to finally execute whateveer search you wanted to do.

To make this actually work the authentication settings in your slapd.conf file have to allow anonymous users search access to the mail attribute and read access to the entry whereby "entry" is just another name for DN. Here is an example that works for me:

# Access Control
access to attr=userPassword
        by anonymous auth
        by self write
        by * none

access to attr=mail
        by self write
        by dn=".*,o=DC,c=US" read
        by * search

access to attr=entry
        by * read

access to *
        by self write
        by dn=".*,o=DC,c=US" read
        by * none

Note the access rules for attr=mail and for entry. Obviously you will have to change the lines that contain dn=".*,o=DC,c=US" to reflect your naming scheme.

After finally getting search results in the list of entries displayed by the Netscape address book I ran into another snag. Netscape only pulls up the full set of information from the LDAP server when you double-click on a listed entry to view the details. My debugging showed me that at that point Netscape seemed to have forgotten the identity it used when retrieving the list of matches and it bound anonymously again. The result was that the detailed view showed nothing but the DN - which according to my access rules is readable by everyone.

I overcame this last problem by upgrading Netscape, in my case from 4.72/Mac to 4.75/Mac.


[Append to This Answer]
Previous: (Answer) How to customize LDAP settings in Netscape Communicator 4.x?
This document is: http://www.openldap.org/faq/index.cgi?file=514
[Search] [Appearance]
This is a Faq-O-Matic 2.719.
© Copyright 2004, OpenLDAP Foundation, info@OpenLDAP.org