Re: HOWTO bind with uid only (short name)

[Howard Chu <hyc@symas.com>]

Brian Elliott Finley wrote:
> I have a corporate white pages directory [using OpenLDAP] which requires
> authentication.  My desire is that users, when configuring their ldap
> clients, will only need to put in their username and password, but I
> have not yet found a way to do this.
>
> Here are some details that might help:
>
>    * Desired binding DN for a user: "username"
>    * Current binding DN for a user: "uid=username,dc=example,dc=com"
>
> The directory is perfectly flat.

The only standards-compliant way to Bind with a simple username is using 
SASL Binds.

Since you're using Kerberos anyway, SASL/GSSAPI is the logical choice.

> Here are some additional OpenLDAP specifics with regard to my current
> authentication setup:
>
>    * Passwords are backended by kerberos
>    * Users may not have a ticket prior to binding, so cn=gssapi,cn=auth
>      is not feasible.

Then there is no simple solution. Write wrappers for your clients that 
check to make sure a TGT exists before binding, doing the appropriate 
initial authentication step if not.

>    * userPassword is set to "{GSSAPI}username@EXAMPLE.COM"

You probably mean {SASL} as there is no {GSSAPI} password mechanism in 
OpenLDAP.

--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/