[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Question regarding authentication

To: Jason Voorhees <jvoorhees1@gmail.com>
Subject: Re: Question regarding authentication
From: Aaron Richton <richton@nbcs.rutgers.edu>
Date: Thu, 27 Jun 2013 17:09:56 -0400 (EDT)
Cc: openldap-technical@openldap.org
In-reply-to: <CABLXSUrcWJM4MGoo7J5jAmohWrXxNzPTM1k+YHxEVsx66iPDsw@mail.gmail.com>
References: <CABLXSUrcWJM4MGoo7J5jAmohWrXxNzPTM1k+YHxEVsx66iPDsw@mail.gmail.com>
User-agent: Alpine 2.02 (SOC 1266 2009-07-14)

On Thu, 27 Jun 2013, Jason Voorhees wrote:

As you can see, all these have the prefix "pre" before it's realusername (jvoorhees, mjackson, sjobs, bgates, tcruis, etc...). I alsohave an OpenLDAP server with a users directory tree whose usernames arethe same but without "pre", I mean they are jvoorhees, mjackson, sjobs,bgates, tcruis, etc....
[...]
Is this possible to do? Can I make a rule to supress the "pre" prefixbefore authentication against LDAP? If yes, where should I make this"rule": in the Linux box (ldap client) or in the LDAP Server?

You might be able to use some slapo-rwm(5) rules to change all"uid=preXXX,..." into "uid=XXX,..." server-side. To my eye this looks sortof evil and might violate the principle of least surprise. In particular,if you're Linux-specific, perhaps you could look into pam_regex which isdesigned for this sort of use case.

Another possibility might be "splitting the difference," running theslapo-rwm(5) rules inside of a local slapd(8), perhaps accessed via nssov,and keeping an upstream LDAP server without this mess.

I'd suggest you build a test environment, try all your options out and seewhat sticks...

Follow-Ups:
- Re: Question regarding authentication
  - From: Jason Voorhees <jvoorhees1@gmail.com>

References:
- Question regarding authentication
  - From: Jason Voorhees <jvoorhees1@gmail.com>

Prev by Date: Question regarding authentication
Next by Date: Re: Question regarding authentication
Index(es):
- Chronological
- Thread