Hello,
I need to bind sometimes with a username that is not in DN format. I have tried to use authz-regexp to translate it but I am not successful.
I have created a few entries and I can authenticate with the Manager DN. I can also authenticate with other entries when I explicitly use a DN, but when I use something that does not start with "dn=", it fails.
I have this entry that I want to use for authentication: dn: cn=ServiceAccount@old-domain.com,dc=old-domain,dc=Com cn: ServiceAccount@old-domain.com sn: ServiceAccount@old-domain.com objectClass: person userPassword: {hidden}
When I use the full DN as an argument of the -D option of ldapsearch it works.
I have this in slapd.conf: authz-regexp uid=([^,]*).*,cn=auth cn=$1,dc=old-domain,dc=Com
When I run: slapauth ServiceAccount@old-domain.com I see: ID: ServiceAccount@old-domain.com check succeeded authcID: <cn=ServiceAccount@old-domain.com,dc=old-domain,dc=com> So it looks like it can translate.
But when I try to use: ldapsearch -x -DServiceAccount@old-domain.com ... I get: ldap_bind: Invalid DN syntax (34) additional info: invalid DN
I have a system that sends the "service account" for user searches in this format. I.E. not a DN. I can't change the client.
Does anyone have any ideas why SLAPD does not translate? Or do I need to turn on a "allow non-DNs" switch? Or is it actually the ldapsearch command that is complaining. If the latter, is there a way to test?
Gary