[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Logging in without full DN



A number of SASL mechanisms, including
DIGEST-MD5 (LDAP's mandatory-to-implement "strong"
authentication mechanism), CRAM-MD5, and PLAIN,
support authentication identities in the form of a
simple user name.  OpenLDAP Software supports these
mechanisms through Cyrus SASL.

And, yes, you can map simple user names to DNs.
See authz-regex in slapd.conf(5).

Note, however, you cannot use a simple user name as
the LDAP simple bind name as this is required to be
an LDAP DN.

Kurt

At 12:00 PM 10/7/2005, Sean Hussey wrote:
>Hi everyone,
>
>We're chugging along, unifying our databases and old LDAP installation
>with our new Unified LDAP solution.  Everything's going great.
>
>One of the new policies we have is to not allow anonymous lookups for
>address book searches.
>
>The issue with this is that our client base is...opposed to change. 
>Now, they would happily comply if all they had to do was put their
>username and password somewhere, but putting in the full DN?  I think
>there would be more typo'ed configs that not.
>
>Now, I've heard that you can configure OpenLDAP such that binding as
>"seanhussey" would alias to
>"uid=seanhussey,ou=people,dc=domain,dc=com".
>
>Was I dreaming, or is this possible?
>
>We're on 2.2.28 right now, but I'm in the middle of upgrading to 2.2.29.
>
>Thanks!
>
>Sean