10:57 a.m.
Hi all,
is there a way to use the UPN (user(a)domain.com) notation to do a bind
to the OpenLDAP-Server. Or do I have to use the rwm-overlay to map
the bind-string to a valid DN?
--
Wilhelm
3:23 p.m.
Wilhelm Meier wrote:
is there a way to use the UPN (user(a)domain.com) notation to do a bind
to the OpenLDAP-Server.
Assuming you mean simple bind the answer is no. According to RFC 4511
the name in a BindRequest is a DN. Using the UPN as name is a
proprietary violation of LDAPv3 in MS AD.
Or do I have to use the rwm-overlay to map
the bind-string to a valid DN?
Not sure whether that would work.
Ciao, Michael.
5:13 a.m.
----- "Michael Ströder" <michael(a)stroeder.com> wrote:
Wilhelm Meier wrote:
> is there a way to use the UPN (user(a)domain.com) notation to do a
bind
> to the OpenLDAP-Server.
Assuming you mean simple bind the answer is no. According to RFC 4511
the name in a BindRequest is a DN. Using the UPN as name is a
proprietary violation of LDAPv3 in MS AD.
> Or do I have to use the rwm-overlay to map
> the bind-string to a valid DN?
Not sure whether that would work.
It would work if you used "mail=user(a)domain.com", as it complies with DN syntax.
Then you can use rwm rewrite capabilities to expand that string into the user's DN.
Something similar is indicated in slapo-rwm(5), AFAIR.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando(a)sys-net.it
-----------------------------------
9:12 a.m.
Am Freitag 26 Dezember 2008 schrieb Pierangelo Masarati:
----- "Michael Ströder" <michael(a)stroeder.com>
wrote:
> Wilhelm Meier wrote:
> > is there a way to use the UPN (user(a)domain.com) notation to do
> > a
>
> bind
>
> > to the OpenLDAP-Server.
>
> Assuming you mean simple bind the answer is no. According to RFC
> 4511 the name in a BindRequest is a DN. Using the UPN as name is
> a proprietary violation of LDAPv3 in MS AD.
>
> > Or do I have to use the rwm-overlay to map
> > the bind-string to a valid DN?
>
> Not sure whether that would work.
It would work if you used "mail=user(a)domain.com", as it complies
with DN syntax.
Ok, I thought about that, but if you have some silly applications
where you can't compose the connect-string for the bind it would be
rather nice if one can configure the OpenLDAP tu user this upn
notation.
Most applications must be somewhat modified to use something
like "mail=user(a)domain.com" and then you can think of using the real
DN either.
Then you can use rwm rewrite capabilities to
expand that string into the user's DN. Something similar is
indicated in slapo-rwm(5), AFAIR.
Yes, thats in the man-page. Thank you.
So, if DN-syntax is required, the application must be modified ...
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando(a)sys-net.it
-----------------------------------
--
Wilhelm
4:10 a.m.
Wilhelm Meier wrote:
Am Freitag 26 Dezember 2008 schrieb Pierangelo Masarati:
> ----- "Michael Ströder" <michael(a)stroeder.com> wrote:
>> Wilhelm Meier wrote:
>>> is there a way to use the UPN (user(a)domain.com) notation to do
>>> a
>> bind
>>
>>> to the OpenLDAP-Server.
>> Assuming you mean simple bind the answer is no. According to RFC
>> 4511 the name in a BindRequest is a DN. Using the UPN as name is
>> a proprietary violation of LDAPv3 in MS AD.
>>
>>> Or do I have to use the rwm-overlay to map
>>> the bind-string to a valid DN?
>> Not sure whether that would work.
> It would work if you used "mail=user(a)domain.com", as it complies
> with DN syntax.
Ok, I thought about that, but if you have some silly applications
where you can't compose the connect-string for the bind it would be
rather nice if one can configure the OpenLDAP tu user this upn
notation.
Which applications? Something very AD-specific?
Most LDAP-enabled applications can search for user entries by uid or
similar and then bind with the user's entry DN as bind DN.
Ciao, Michael.
4:46 a.m.
Am Samstag 27 Dezember 2008 schrieb Michael Ströder:
Wilhelm Meier wrote:
> Am Freitag 26 Dezember 2008 schrieb Pierangelo Masarati:
>> ----- "Michael Ströder" <michael(a)stroeder.com> wrote:
>>> Wilhelm Meier wrote:
>>>> is there a way to use the UPN (user(a)domain.com) notation to do
>>>> a
>>>
>>> bind
>>>
>>>> to the OpenLDAP-Server.
>>>
>>> Assuming you mean simple bind the answer is no. According to
>>> RFC 4511 the name in a BindRequest is a DN. Using the UPN as
>>> name is a proprietary violation of LDAPv3 in MS AD.
>>>
>>>> Or do I have to use the rwm-overlay to map
>>>> the bind-string to a valid DN?
>>>
>>> Not sure whether that would work.
>>
>> It would work if you used "mail=user(a)domain.com", as it complies
>> with DN syntax.
>
> Ok, I thought about that, but if you have some silly applications
> where you can't compose the connect-string for the bind it would
> be rather nice if one can configure the OpenLDAP tu user this upn
> notation.
Which applications? Something very AD-specific?
Not really, but the bind-DN is always composed as <user>@<domain>
Most LDAP-enabled applications can search for user entries by uid
or similar and then bind with the user's entry DN as bind DN.
Ciao, Michael.
--
Wilhelm
5:52 a.m.
Wilhelm Meier wrote:
Am Samstag 27 Dezember 2008 schrieb Michael Ströder:
> Wilhelm Meier wrote:
>> Am Freitag 26 Dezember 2008 schrieb Pierangelo Masarati:
>>> ----- "Michael Ströder" <michael(a)stroeder.com> wrote:
>>>> Wilhelm Meier wrote:
>>>>> is there a way to use the UPN (user(a)domain.com) notation to do
>>>>> a
>>>> bind
>>>>
>>>>> to the OpenLDAP-Server.
>>>> Assuming you mean simple bind the answer is no. According to
>>>> RFC 4511 the name in a BindRequest is a DN. Using the UPN as
>>>> name is a proprietary violation of LDAPv3 in MS AD.
>>>>
>>>>> Or do I have to use the rwm-overlay to map
>>>>> the bind-string to a valid DN?
>>>> Not sure whether that would work.
>>> It would work if you used "mail=user(a)domain.com", as it complies
>>> with DN syntax.
>> Ok, I thought about that, but if you have some silly applications
>> where you can't compose the connect-string for the bind it would
>> be rather nice if one can configure the OpenLDAP tu user this upn
>> notation.
> Which applications? Something very AD-specific?
Not really, but the bind-DN is always composed as <user>@<domain>
So please don't call it bind-DN, as it is not a DN.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando(a)sys-net.it
-----------------------------------
7:35 a.m.
Wilhelm Meier wrote:
Am Samstag 27 Dezember 2008 schrieb Michael Ströder:
> Wilhelm Meier wrote:
>> Ok, I thought about that, but if you have some silly applications
>> where you can't compose the connect-string for the bind it would
>> be rather nice if one can configure the OpenLDAP tu user this upn
>> notation.
> Which applications? Something very AD-specific?
Not really, but the bind-DN is always composed as <user>@<domain>
Yes, then those applications are not LDAPv3 compliant and have to be
fixed anyway.
Ciao, Michael.
5384
days inactive
5386
days old
openldap-software@openldap.org
7 comments
3 participants
participants (3)
-
Michael Ströder -
Pierangelo Masarati -
Wilhelm Meier