Hi all,
is there a way to use the UPN (user@domain.com) notation to do a bind to the OpenLDAP-Server. Or do I have to use the rwm-overlay to map the bind-string to a valid DN?
Wilhelm Meier wrote:
is there a way to use the UPN (user@domain.com) notation to do a bind to the OpenLDAP-Server.
Assuming you mean simple bind the answer is no. According to RFC 4511 the name in a BindRequest is a DN. Using the UPN as name is a proprietary violation of LDAPv3 in MS AD.
Or do I have to use the rwm-overlay to map the bind-string to a valid DN?
Not sure whether that would work.
Ciao, Michael.
----- "Michael Ströder" michael@stroeder.com wrote:
Wilhelm Meier wrote:
is there a way to use the UPN (user@domain.com) notation to do a
bind
to the OpenLDAP-Server.
Assuming you mean simple bind the answer is no. According to RFC 4511 the name in a BindRequest is a DN. Using the UPN as name is a proprietary violation of LDAPv3 in MS AD.
Or do I have to use the rwm-overlay to map the bind-string to a valid DN?
Not sure whether that would work.
It would work if you used "mail=user@domain.com", as it complies with DN syntax. Then you can use rwm rewrite capabilities to expand that string into the user's DN. Something similar is indicated in slapo-rwm(5), AFAIR.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
Am Freitag 26 Dezember 2008 schrieb Pierangelo Masarati:
----- "Michael Ströder" michael@stroeder.com wrote:
Wilhelm Meier wrote:
is there a way to use the UPN (user@domain.com) notation to do a
bind
to the OpenLDAP-Server.
Assuming you mean simple bind the answer is no. According to RFC 4511 the name in a BindRequest is a DN. Using the UPN as name is a proprietary violation of LDAPv3 in MS AD.
Or do I have to use the rwm-overlay to map the bind-string to a valid DN?
Not sure whether that would work.
It would work if you used "mail=user@domain.com", as it complies with DN syntax.
Ok, I thought about that, but if you have some silly applications where you can't compose the connect-string for the bind it would be rather nice if one can configure the OpenLDAP tu user this upn notation. Most applications must be somewhat modified to use something like "mail=user@domain.com" and then you can think of using the real DN either.
Then you can use rwm rewrite capabilities to expand that string into the user's DN. Something similar is indicated in slapo-rwm(5), AFAIR.
Yes, thats in the man-page. Thank you.
So, if DN-syntax is required, the application must be modified ...
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it
Wilhelm Meier wrote:
Am Freitag 26 Dezember 2008 schrieb Pierangelo Masarati:
----- "Michael Ströder" michael@stroeder.com wrote:
Wilhelm Meier wrote:
is there a way to use the UPN (user@domain.com) notation to do a
bind
to the OpenLDAP-Server.
Assuming you mean simple bind the answer is no. According to RFC 4511 the name in a BindRequest is a DN. Using the UPN as name is a proprietary violation of LDAPv3 in MS AD.
Or do I have to use the rwm-overlay to map the bind-string to a valid DN?
Not sure whether that would work.
It would work if you used "mail=user@domain.com", as it complies with DN syntax.
Ok, I thought about that, but if you have some silly applications where you can't compose the connect-string for the bind it would be rather nice if one can configure the OpenLDAP tu user this upn notation.
Which applications? Something very AD-specific?
Most LDAP-enabled applications can search for user entries by uid or similar and then bind with the user's entry DN as bind DN.
Ciao, Michael.
Am Samstag 27 Dezember 2008 schrieb Michael Ströder:
Wilhelm Meier wrote:
Am Freitag 26 Dezember 2008 schrieb Pierangelo Masarati:
----- "Michael Ströder" michael@stroeder.com wrote:
Wilhelm Meier wrote:
is there a way to use the UPN (user@domain.com) notation to do a
bind
to the OpenLDAP-Server.
Assuming you mean simple bind the answer is no. According to RFC 4511 the name in a BindRequest is a DN. Using the UPN as name is a proprietary violation of LDAPv3 in MS AD.
Or do I have to use the rwm-overlay to map the bind-string to a valid DN?
Not sure whether that would work.
It would work if you used "mail=user@domain.com", as it complies with DN syntax.
Ok, I thought about that, but if you have some silly applications where you can't compose the connect-string for the bind it would be rather nice if one can configure the OpenLDAP tu user this upn notation.
Which applications? Something very AD-specific?
Not really, but the bind-DN is always composed as <user>@<domain>
Most LDAP-enabled applications can search for user entries by uid or similar and then bind with the user's entry DN as bind DN.
Ciao, Michael.
Wilhelm Meier wrote:
Am Samstag 27 Dezember 2008 schrieb Michael Ströder:
Wilhelm Meier wrote:
Am Freitag 26 Dezember 2008 schrieb Pierangelo Masarati:
----- "Michael Ströder" michael@stroeder.com wrote:
Wilhelm Meier wrote:
is there a way to use the UPN (user@domain.com) notation to do a
bind
to the OpenLDAP-Server.
Assuming you mean simple bind the answer is no. According to RFC 4511 the name in a BindRequest is a DN. Using the UPN as name is a proprietary violation of LDAPv3 in MS AD.
Or do I have to use the rwm-overlay to map the bind-string to a valid DN?
Not sure whether that would work.
It would work if you used "mail=user@domain.com", as it complies with DN syntax.
Ok, I thought about that, but if you have some silly applications where you can't compose the connect-string for the bind it would be rather nice if one can configure the OpenLDAP tu user this upn notation.
Which applications? Something very AD-specific?
Not really, but the bind-DN is always composed as <user>@<domain>
So please don't call it bind-DN, as it is not a DN.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
Wilhelm Meier wrote:
Am Samstag 27 Dezember 2008 schrieb Michael Ströder:
Wilhelm Meier wrote:
Ok, I thought about that, but if you have some silly applications where you can't compose the connect-string for the bind it would be rather nice if one can configure the OpenLDAP tu user this upn notation.
Which applications? Something very AD-specific?
Not really, but the bind-DN is always composed as <user>@<domain>
Yes, then those applications are not LDAPv3 compliant and have to be fixed anyway.
Ciao, Michael.
openldap-software@openldap.org
-
Michael Ströder -
Pierangelo Masarati -
Wilhelm Meier