[Date Prev][Date Next] [Chronological] [Thread] [Top]

HOWTO bind with uid only (short name)

To: openldap-software@OpenLDAP.org
Subject: HOWTO bind with uid only (short name)
From: Brian Elliott Finley <finley@anl.gov>
Date: Mon, 2 Oct 2006 16:45:32 -0500
Content-disposition: inline
User-agent: Mutt/1.5.11

I have a corporate white pages directory [using OpenLDAP] which requires
authentication.  My desire is that users, when configuring their ldap
clients, will only need to put in their username and password, but I
have not yet found a way to do this.

Here are some details that might help:

   * Desired binding DN for a user: "username"
   * Current binding DN for a user: "uid=username,dc=example,dc=com"

The directory is perfectly flat.

Here are some additional OpenLDAP specifics with regard to my current
authentication setup:

   * Passwords are backended by kerberos
   * Users may not have a ticket prior to binding, so cn=gssapi,cn=auth
     is not feasible.
   * userPassword is set to "{GSSAPI}username@EXAMPLE.COM"
   * A /usr/lib/sasl2/slapd.conf file is in place, directing GSSAPI ->
     SASL auth requests to saslauthd
   * saslauthd is configured to use PAM
   * /etc/pam.d/ldap (the service that slapd considers itself)
     contains:

     auth            required        pam_krb5.so ignore_root
     account         required        pam_krb5.so ignore_root
     password        optional        pam_krb5.so ignore_root
     session         optional        pam_krb5.so ignore_root

   * /etc/krb5.conf contains the right bits.


Using this config, users are currently able to bind and authenticate
using their kerberos passwords (not tickets).

I've looked into using sasl-regexp, but as that seems to change the sasl identity, not the bind DN, it does not do what we want. It also appears unnecessary in our case, as the only way I've found to do authentication with passwords against either PAM or kerberos directly, is via saslauthd, which seems to only be invokable when doing auth via userPassword set to {GSSAPI}$principal.

So, in summary, I would be very interested in the solutions to
following:

   a) how can I have a user specify a bind dn of "username" or even
      "uid=username".

   b) how can I tell OpenLDAP to authenticate with passwords directly
      against PAM

   c) how can I tell OpenLDAP to allow *anyone* who can authenticate
      against kerberos with a password (perhaps via PAM), without
      even having a per user DN, to bind.

Thanks,

-Brian


--
Brian Elliott Finley
Mobile:  630.631.6621

Follow-Ups:
- Re: HOWTO bind with uid only (short name)
  - From: Howard Chu <hyc@symas.com>

Prev by Date: ppolicy.c module doesn't respect Draft policy
Next by Date: Re: ppolicy.c module doesn't respect Draft policy
Index(es):
- Chronological
- Thread