Re: Logging in without full DN

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Friday, October 07, 2005 12:27 PM -0700 "Kurt D. Zeilenga" 
<Kurt@OpenLDAP.org> wrote:

> A number of SASL mechanisms, including
> DIGEST-MD5 (LDAP's mandatory-to-implement "strong"
> authentication mechanism), CRAM-MD5, and PLAIN,
> support authentication identities in the form of a
> simple user name.  OpenLDAP Software supports these
> mechanisms through Cyrus SASL.
>
> And, yes, you can map simple user names to DNs.
> See authz-regex in slapd.conf(5).
>
> Note, however, you cannot use a simple user name as
> the LDAP simple bind name as this is required to be
> an LDAP DN.

And of course, I'm not aware of a single email client that supports SASL 
binds (they all live in the LDAP V2 world).  I have open bugs about this 
against a number of email client software providers (Qualcomm, Apple, 
Mozilla).

Personally, I'd suggest some level of visibility controls on your data, 
with which you can then allow anonymous binds to read "world" data.  We do 
this at Stanford, and email clients at this time can only access world data 
due to the limitations of their bind methods.  If the clients are ever 
updated to use SASL, then they'll be able to get to Stanford views.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/Shared Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

"These censorship operations against schools and libraries are stronger
than ever in the present religio-political climate. They often focus on
fantasy and sf books, which foster that deadly enemy to bigotry and blind
faith, the imagination." -- Ursula K. Le Guin