Am 16.02.2016 um 14:56 Uhr schrieb Mary Kao:I have very simple requirements for "users" e.g. representative of user accounts with userid and password.a "user" for "authentication" in LDAP ist mostly an object you can bind to. The easiest way to bind to an LDAP server is "simple" bind, by which you send the DN of the object and the password. In this case the object has a password field - userpassword. So choose an objectclass with userpassword - i.e. inetorgperson - and create an object with this.
I generally dislike the fact people just tend to default to inetOrgPerson. That objectClass is to be used for a person, not accounts, which is what it appears Mary is talking about. A person may have multiple accounts (i.e., there is NOT a 1:1 mapping of between a person and an account). For example, at a previous job, where we deployed with an understanding of the difference, I had a single person account, and multiple account objects (my general account, my test account, my root principle account (we used kerberos)), etc. There may be a number of reasons why a given individual may have more than one account. We used the seeAlso attribute to provide a pointer between account(s) and the person.
--Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration A division of Synacor, Inc