[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authenticating with netscape messenger

To: Michael David <michael@newearth.org>, OpenLDAP general <openldap-general@OpenLDAP.org>
Subject: Re: authenticating with netscape messenger
From: Pierangelo Masarati <pmasarati@bci.it>
Date: Tue, 01 Aug 2000 10:10:42 +0200
Organization: SysNet
References: <Pine.LNX.4.21.0007311658530.7290-100000@sapphire.newearth.org>

Michael David wrote:

> I set up the OpenLDAP server on my GNU/Linux box, with most
> of its resources only available to authenticated users (by
> dn=".+" read). So now from my shell I can authenticate using
> a DN and the userpassword attribute of that DN (what one
> would expect). I don't intend to let anonymous users do much
> of anything, especially not find e-mail addresses
> (mail=something).
>
> Then on a Windows machine, using MS Outlook Express, I set
> up the directory service, telling it to log in with my DN
> and userpassword. That worked too.
>
> Then I tried to get it working with Netscape Messenger 4.74.
> Netscape asks you for an E-MAIL ADDRESS and password to log
> in with. Then it binds to the LDAP server with dn="" and
> searches for "(mail=something)" where "something" is the
> e-mail address you offered it.
>
> As it happens, the un-authenticated dn="" doesn't have
> access to the mail= attribute, so nothing happens. This is
> what I intended for anonymous browsers (nothing).
>
> When I experimentally let dn="" read the mail= attribute, I
> discovered that Netscape looks up the e-mail address, and if
> it occurs in one and only one entry, tries to log in with
> that DN and the user-supplied password. This always fails if
> the e-mail address is found more than once. Now I'm
> wondering why they decided to use an e-mail address to
> identify directory entries, when that's what DNs were for.
> It's not unreasonable to have more than one entry list the
> same e-mail address, and I see no point (and extra work) in
> prohibiting this, or in inventing new unique e-mail
> addresses just to use as login names for Netscape Messenger.
>
> Right now my answer is simply "Netscape Messenger doesn't
> work with our directory." I'm wondering if there's a better
> answer than that.

Go to the .netscape/preferences.js file; add to the directory you're considering
the lines

user_pref("ldap_2.servers.YOURSERVER.auth.enabled", true);
user_pref("ldap_2.servers.YOURSERVER.attributes.auth","User ID:uid");

where YOURSERVER is the normalized name of the directory server you created;
instead of "User ID:uid" you can use any pair of valid display name ("User
ID") and
unique attribute ("uid") you like. You can find such information at
http://developer.netscape.com/docs/manuals/communicator/ldap45.htm

Bye, Pierangelo
<ando@sys-net.it>

Prev by Date: Re: authenticating with netscape messenger
Next by Date: OpenLDAP 1.2 and SSL
Index(es):
- Chronological
- Thread