[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Binding Problems with authentication



At 02:43 PM 7/21/99 -0400, Joe Novielli wrote:
>Thanks Julio and Darryl for a quick response.
>
>Darryl, my slapd.conf file already indexes the mail attribute.
>
>Julio: what username should I use then? I've tried several cases.

for Netscape, "jnoviell@matrox.com"...  but note that your
ACL doesn't allow anonymous searches (and reading) of this
attribute (entry).

>
>I changed a few things. But it still does not respond will any results (I 
>know they exist as it works without authentication) (I wish there was a 
>standard for all email clients to search/filter/authenticate upon).
>
>Changes made:
>1) Removed givename attribute
>2) Entries no look like (ie: replaced cn with uid in DN):
>
>dn: uid=jnoviell,location=Dorval,o=Matrox,c=CA
>objectclass: Person
>username: jnoviell
>cn: Joe Novielli
>uid: jnoviell
>mail: jnoviell@matrox.com
>location: Dorval
>sn: Novielli
>userPassword: {crypt}DferPKChVn9Y
>telephoneNumber:xxx-xxxx ext:yyy
>status: Active User
>
>
>Any other suggestions? Much appreciated and thanks
>FYI: My  original message can be found at: 
>http://www.openldap.com/lists/openldap-software/9907/msg00127.html
>
>
>
>
>Julio Wrote
>
>> > The server doesn't seem to bind DN's for authentication (I tried Netscape,
>> > Eudora email clients).
>>
>>The server does, it is that you are being outsmarted by your clients.
>>So
>>that you do not have to remember/type dn's, they make a search, get the
>>dn of the retrieved entry and bind with that dn and the password you
>>give.
>>
>> > Jul 21 11:47:28 pluton.matrox.com slapd[10166]: conn=0 op=1 SRCH
>> > base="LOCATION=DORVAL,O=MATROX,C=CA" scope=2 filter="( |
>> > (cn=*MARK*)(SN=*MARK*)(GN=*MARK*)(GIVENNAME=*MARK*))"
>>
>>See? They are looking for a user with a name containing "MARK".  BTW,
>>I never heard of "GN" as a valid alias for "givenName".
>>
>> > Jul 21 11:47:32 pluton.matrox.com slapd[10166]: conn=0 op=1 RESULT err=0
>> > tag=101 nentries=0
>>
>>Unfortunately, the search fails (see nentries=0).
>>
>> > Jul 21 11:57:25 pluton.matrox.com slapd[10166]: conn=1 op=1 SRCH
>> > base="LOCATION=DORVAL,O=MATROX,C=CA" scope=2 filter="(mail=JNOVIELL,
>> > LOCATION=DORVAL, O=MATROX,C=CA)"
>>
>>In this case, you are trying to write a DN in the login dialog.  Notice
>>that the text in the dialog tells you to use the email address.  It
>>means it.
>>
>> > -------------------------------------------------------------
>> > The user name I am using is:  jnoviell, location=Dorval, o=Matrox,c=CA
>>
>>That would not be a valid dn, the attribute type on the first RDN is
>>missing, you mean "uid=" or maybe "cn=" prepended to that, but don't
>>do it because your clients are expecting something else.
>>
>>Julio
>
>###################################################
>Darryl Wrote
>
>If I'm not mistaken you're using a client that sends the mail attribute to
>the server which in turn retrieves the DN and sends that back to the
>server (with the user supplied password) in a bind request. This
>could be failing because you have either supplied a value such that the
>filter mail=%v yields a result set with no entries. If your entry has a
>mail attribute, use that value to authenticate (you'll probably want to
>index the mail attribute).
>
>
>
>