[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Logging in without full DN
A number of SASL mechanisms, including
DIGEST-MD5 (LDAP's mandatory-to-implement "strong"
authentication mechanism), CRAM-MD5, and PLAIN,
support authentication identities in the form of a
simple user name. OpenLDAP Software supports these
mechanisms through Cyrus SASL.
And, yes, you can map simple user names to DNs.
See authz-regex in slapd.conf(5).
Note, however, you cannot use a simple user name as
the LDAP simple bind name as this is required to be
an LDAP DN.
Kurt
At 12:00 PM 10/7/2005, Sean Hussey wrote:
>Hi everyone,
>
>We're chugging along, unifying our databases and old LDAP installation
>with our new Unified LDAP solution. Everything's going great.
>
>One of the new policies we have is to not allow anonymous lookups for
>address book searches.
>
>The issue with this is that our client base is...opposed to change.
>Now, they would happily comply if all they had to do was put their
>username and password somewhere, but putting in the full DN? I think
>there would be more typo'ed configs that not.
>
>Now, I've heard that you can configure OpenLDAP such that binding as
>"seanhussey" would alias to
>"uid=seanhussey,ou=people,dc=domain,dc=com".
>
>Was I dreaming, or is this possible?
>
>We're on 2.2.28 right now, but I'm in the middle of upgrading to 2.2.29.
>
>Thanks!
>
>Sean