I have a corporate white pages directory [using OpenLDAP] which requires authentication. My desire is that users, when configuring their ldap clients, will only need to put in their username and password, but I have not yet found a way to do this.
Here are some details that might help:
* Desired binding DN for a user: "username" * Current binding DN for a user: "uid=username,dc=example,dc=com"
The directory is perfectly flat.
Here are some additional OpenLDAP specifics with regard to my current authentication setup:
* Passwords are backended by kerberos * Users may not have a ticket prior to binding, so cn=gssapi,cn=auth is not feasible. * userPassword is set to "{GSSAPI}username@EXAMPLE.COM" * A /usr/lib/sasl2/slapd.conf file is in place, directing GSSAPI -> SASL auth requests to saslauthd * saslauthd is configured to use PAM * /etc/pam.d/ldap (the service that slapd considers itself) contains:
auth required pam_krb5.so ignore_root account required pam_krb5.so ignore_root password optional pam_krb5.so ignore_root session optional pam_krb5.so ignore_root
* /etc/krb5.conf contains the right bits.
Using this config, users are currently able to bind and authenticate using their kerberos passwords (not tickets).
I've looked into using sasl-regexp, but as that seems to change the sasl identity, not the bind DN, it does not do what we want. It also appears unnecessary in our case, as the only way I've found to do authentication with passwords against either PAM or kerberos directly, is via saslauthd, which seems to only be invokable when doing auth via userPassword set to {GSSAPI}$principal.
So, in summary, I would be very interested in the solutions to following:
a) how can I have a user specify a bind dn of "username" or even "uid=username".
b) how can I tell OpenLDAP to authenticate with passwords directly against PAM
c) how can I tell OpenLDAP to allow *anyone* who can authenticate against kerberos with a password (perhaps via PAM), without even having a per user DN, to bind.
Thanks,
-Brian