[Date Prev][Date Next] [Chronological] [Thread] [Top]

Authenticate to slapd using attribute other than DN



Forgive me if I'm missing something blatantly obvious, but I'm nearing completion on a project to set up the OpenLDAP slapd to proxy against MS Active Directory servers. This in itself was a pretty large task, but I've got something working nicely, and I'm most of the way there. I have much messy Perl code to generate an OpenLDAP- compatible schema file from an Active Directory schema partition LDIF dump.

What I'm currently stuck on is using an attribute other than the Distinguished Name attribute to bind to my slapd instance(s). I've gotten to the point where I can pull AD-specific attributes proxy-ing through my OpenLDAP servers. The problem is that, for the sake of ease-of-use, we want to be able to bind to slapd using something a little nicer than the DN. Read this as "Our Windows and Mac users want to be able to bind to the proxy using AD's 'sAMAccountName' attribute or something as simple as the 'userPrincipalName' attribute." They don't know their DNs and they don't really want to, which creates a bit of a burden on me.

Currently, my OpenLDAP proxy server works fine when using a DN to bind. I'm guessing that I need to use one of the authz-* directives for slapd.conf/slapd-ldap to massage the data I'm sent into a usable DN with which to bind. Is this the case? Can anyone recommend something or send a snippet of their config if they're doing something simple?

I'm not sure that it's all that relevant, but I'm using a repackaged Red Hat source RPM from Fedora Core 5 that I rebuilt on Red Hat Enterprise 4. I am currently running OpenLDAP version 2.3.19. Everything seems stable and is working much better than I anticipated, given Red Hat's somewhat specious record with previous OpenLDAP versions.

If I can solve this one hang-up, I think I'm golden. Thanks for any help!

  ryan woodsmall
    rwoodsmall@mac.com


"Be well, do good work, and keep in touch." - Garrison Keillor