Thus spake Howard Chu (hyc@symas.com):
Brian Elliott Finley wrote:
I have a corporate white pages directory [using OpenLDAP] which requires authentication. My desire is that users, when configuring their ldap clients, will only need to put in their username and password, but I have not yet found a way to do this.
Here are some details that might help:
- Desired binding DN for a user: "username"
- Current binding DN for a user: "uid=username,dc=example,dc=com"
The directory is perfectly flat.
The only standards-compliant way to Bind with a simple username is using SASL Binds.
Since you're using Kerberos anyway, SASL/GSSAPI is the logical choice.
Here are some additional OpenLDAP specifics with regard to my current authentication setup:
- Passwords are backended by kerberos
- Users may not have a ticket prior to binding, so cn=gssapi,cn=auth is not feasible.
Then there is no simple solution. Write wrappers for your clients that check to make sure a TGT exists before binding, doing the appropriate initial authentication step if not.
Bummer. Wrappers will not be feasible in this case, as the clients may vary far and wide. Some may not even be configured to use kerberos.
- userPassword is set to "{GSSAPI}username@EXAMPLE.COM"
You probably mean {SASL} as there is no {GSSAPI} password mechanism in OpenLDAP.
Yes. You are correct. And to be perfectly clear for archival purposes, I have userPassword set to "{SASL}username@EXAMPLE.COM".
Thanks,
-Brian
-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/