Re: HOWTO bind with uid only (short name)

[Brian Elliott Finley <finley@anl.gov>]

Thus spake Howard Chu (hyc@symas.com):
> Brian Elliott Finley wrote:
> > I have a corporate white pages directory [using OpenLDAP] which requires
> > authentication.  My desire is that users, when configuring their ldap
> > clients, will only need to put in their username and password, but I
> > have not yet found a way to do this.
> >
> > Here are some details that might help:
> >
> >    * Desired binding DN for a user: "username"
> >    * Current binding DN for a user: "uid=username,dc=example,dc=com"
> >
> > The directory is perfectly flat.
>
> The only standards-compliant way to Bind with a simple username is using 
> SASL Binds.
>
> Since you're using Kerberos anyway, SASL/GSSAPI is the logical choice.
>
> > Here are some additional OpenLDAP specifics with regard to my current
> > authentication setup:
> >
> >    * Passwords are backended by kerberos
> >    * Users may not have a ticket prior to binding, so cn=gssapi,cn=auth
> >      is not feasible.
>
> Then there is no simple solution. Write wrappers for your clients that 
> check to make sure a TGT exists before binding, doing the appropriate 
> initial authentication step if not.

Bummer.  Wrappers will not be feasible in this case, as the clients may
vary far and wide.  Some may not even be configured to use kerberos.

> >    * userPassword is set to "{GSSAPI}username@EXAMPLE.COM"
>
> You probably mean {SASL} as there is no {GSSAPI} password mechanism in 
> OpenLDAP.

Yes.  You are correct.  And to be perfectly clear for archival purposes,
I have userPassword set to "{SASL}username@EXAMPLE.COM".

Thanks,

-Brian


> --
>   -- Howard Chu
>   Chief Architect, Symas Corp.  http://www.symas.com
>   Director, Highland Sun        http://highlandsun.com/hyc
>   OpenLDAP Core Team            http://www.openldap.org/project/

--
Brian Elliott Finley
Mobile:  630.631.6621