Can I use open-ldap as a translation layer for queries with a ldap client
with minimal configuration potential?
Right now the client (which cannot be trivially modified), can use LDAP
authentication, sort-of. What it does, is it takes your user name, and
assignes it to the 'uid' attribute, and then tacks on whatever string is in
the config to form a distinguished name. For example, if I used 'stapleton'
as my username and the config had 'ou=People,dc=domain,dc=tld', it would
query for 'uid=stapleton,ou=People,dc=dmain,dc=tld'. Unfortunately, people
usernames are everything before the '@' sign in their email, and this is
not their uid. The uid is a number, that is used nowhere else. The standard
process that we use is to take their user name and perform an ldap query to
get the uid from the email, and then use the uid to verify if the user is
correct.
Example:
ldap://server:389/uid=441068,ou=People,dc=mydomain,dc=tld
pulls up my information
Now, if I want to get my uid, I'd do this:
ldap://server:389/ou=People,dc=mydomain,dc=tld?uid?sub?(mail=stapleton@mydomain.tld)
The client, as described cannot do that, if a user attempts to use what
they expect their user name to be, it will send:
uid=stapleton,ou=People,dc=mydomain,dc=tld
or
uid=stapleton@mydomain.tld,ou=People,dc=mydomain,dc=tld
Neither of which will authenticate. Is there a way to make OpenLDAP provide
a middle layer to handle this?
Thank you,
-Jim Stapleton