Brian Elliott Finley wrote:
I have a corporate white pages directory [using OpenLDAP] which requires authentication. My desire is that users, when configuring their ldap clients, will only need to put in their username and password, but I have not yet found a way to do this.
Here are some details that might help:
- Desired binding DN for a user: "username"
- Current binding DN for a user: "uid=username,dc=example,dc=com"
The directory is perfectly flat.
The only standards-compliant way to Bind with a simple username is using SASL Binds.
Since you're using Kerberos anyway, SASL/GSSAPI is the logical choice.
Here are some additional OpenLDAP specifics with regard to my current authentication setup:
- Passwords are backended by kerberos
- Users may not have a ticket prior to binding, so cn=gssapi,cn=auth is not feasible.
Then there is no simple solution. Write wrappers for your clients that check to make sure a TGT exists before binding, doing the appropriate initial authentication step if not.
- userPassword is set to "{GSSAPI}username@EXAMPLE.COM"
You probably mean {SASL} as there is no {GSSAPI} password mechanism in OpenLDAP.