[Date Prev][Date Next]
authenticating with netscape messenger
I set up the OpenLDAP server on my GNU/Linux box, with most
of its resources only available to authenticated users (by
dn=".+" read). So now from my shell I can authenticate using
a DN and the userpassword attribute of that DN (what one
would expect). I don't intend to let anonymous users do much
of anything, especially not find e-mail addresses
Then on a Windows machine, using MS Outlook Express, I set
up the directory service, telling it to log in with my DN
and userpassword. That worked too.
Then I tried to get it working with Netscape Messenger 4.74.
Netscape asks you for an E-MAIL ADDRESS and password to log
in with. Then it binds to the LDAP server with dn="" and
searches for "(mail=something)" where "something" is the
e-mail address you offered it.
As it happens, the un-authenticated dn="" doesn't have
access to the mail= attribute, so nothing happens. This is
what I intended for anonymous browsers (nothing).
When I experimentally let dn="" read the mail= attribute, I
discovered that Netscape looks up the e-mail address, and if
it occurs in one and only one entry, tries to log in with
that DN and the user-supplied password. This always fails if
the e-mail address is found more than once. Now I'm
wondering why they decided to use an e-mail address to
identify directory entries, when that's what DNs were for.
It's not unreasonable to have more than one entry list the
same e-mail address, and I see no point (and extra work) in
prohibiting this, or in inventing new unique e-mail
addresses just to use as login names for Netscape Messenger.
Right now my answer is simply "Netscape Messenger doesn't
work with our directory." I'm wondering if there's a better
answer than that.
Michael V. David - MVD53 - michael@newearth.org - mvd@netaxs.com
WEB: http://www.netaxs.com/~mvd/mvd - http://www.newearth.org/~michael
IRC: irc.newearth.org#newearth - AIM: newearth7 - GPS: 40 07 53 N, 75 04 04 W
Quidquid latine dicitur, altum viditur.