[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Authenticate to slapd using attribute other than DN
Forgive me if I'm missing something blatantly obvious, but I'm
nearing completion on a project to set up the OpenLDAP slapd to proxy
against MS Active Directory servers. This in itself was a pretty
large task, but I've got something working nicely, and I'm most of
the way there. I have much messy Perl code to generate an OpenLDAP-
compatible schema file from an Active Directory schema partition LDIF
dump.
What I'm currently stuck on is using an attribute other than the
Distinguished Name attribute to bind to my slapd instance(s). I've
gotten to the point where I can pull AD-specific attributes proxy-ing
through my OpenLDAP servers. The problem is that, for the sake of
ease-of-use, we want to be able to bind to slapd using something a
little nicer than the DN. Read this as "Our Windows and Mac users
want to be able to bind to the proxy using AD's 'sAMAccountName'
attribute or something as simple as the 'userPrincipalName'
attribute." They don't know their DNs and they don't really want to,
which creates a bit of a burden on me.
Currently, my OpenLDAP proxy server works fine when using a DN to
bind. I'm guessing that I need to use one of the authz-* directives
for slapd.conf/slapd-ldap to massage the data I'm sent into a usable
DN with which to bind. Is this the case? Can anyone recommend
something or send a snippet of their config if they're doing
something simple?
I'm not sure that it's all that relevant, but I'm using a repackaged
Red Hat source RPM from Fedora Core 5 that I rebuilt on Red Hat
Enterprise 4. I am currently running OpenLDAP version 2.3.19.
Everything seems stable and is working much better than I
anticipated, given Red Hat's somewhat specious record with previous
OpenLDAP versions.
If I can solve this one hang-up, I think I'm golden. Thanks for any
help!
ryan woodsmall
rwoodsmall@mac.com
"Be well, do good work, and keep in touch." - Garrison Keillor