Hi,
I have trouble understanding a rather simple LDAP config issue that I'm sure someone on this list can easily help with:
How do I add a (or change the) pattern of the bind DN that slapd lets me authenticate with?
I have a working slapd setup that I can happily bind to using DNs of the form "cn=Bob Parr,dc=example,dc=com". However, all accounts also have a unique "uid" attribute that I would like to use in addition to (or, if not possible, instead of) the "cn"-based RDN for binding. So, I'd like to (also) bind using the DN "uid=bob,dc=example,dc=com". My understanding is that one entry can have several DNs as long as each one is unambiguous. Shouldn't I be able to bind with anyone of these?
I have spent hours on searching for documentation on this and turned up surprisingly little. The problem is not an ACL issue since the logged error when trying a "uid"-based bind is "DB_NOTFOUND: No matching key/data pair found" rather than anything else...
I'd be _very_ grateful for any pointers on this...
Cheers, Mathias
Am Fri, 13 Jan 2012 00:30:59 +0100 schrieb Mathias openldap.org@postb0x.com:
Hi,
I have trouble understanding a rather simple LDAP config issue that I'm sure someone on this list can easily help with:
How do I add a (or change the) pattern of the bind DN that slapd lets me authenticate with?
I have a working slapd setup that I can happily bind to using DNs of the form "cn=Bob Parr,dc=example,dc=com". However, all accounts also have a unique "uid" attribute that I would like to use in addition to (or, if not possible, instead of) the "cn"-based RDN for binding. So, I'd like to (also) bind using the DN "uid=bob,dc=example,dc=com". My understanding is that one entry can have several DNs as long as each one is unambiguous. Shouldn't I be able to bind with anyone of these?
You could create an entry with distinguished name uid=bob,dc=example,dc=com but I would advise not to do so. Instead configure olcAuthRegexp accordingly and do a sasl bind. [...]
-Dieter
On Friday, 13 January 2012 01:30:59 Mathias wrote:
Hi,
I have trouble understanding a rather simple LDAP config issue that I'm sure someone on this list can easily help with:
How do I add a (or change the) pattern of the bind DN that slapd lets me authenticate with?
I have a working slapd setup that I can happily bind to using DNs of the form "cn=Bob Parr,dc=example,dc=com". However, all accounts also have a unique "uid" attribute that I would like to use in addition to (or, if not possible, instead of) the "cn"-based RDN for binding.
The DN should not be relevant to end-users. Applications using simple binds should be configurable on which attribute to search on to identify the DN with which to bind. DN construction, or other methods should be avoided.
So, I'd like to (also) bind using the DN "uid=bob,dc=example,dc=com". My understanding is that one entry can have several DNs as long as each one is unambiguous.
False.
Shouldn't I be able to bind with anyone of these?
An entry has one DN.
You may be able to rewrite DNs from one form to another, but then why not just configure your applications correctly?
I have spent hours on searching for documentation on this and turned up surprisingly little. The problem is not an ACL issue since the logged error when trying a "uid"-based bind is "DB_NOTFOUND: No matching key/data pair found" rather than anything else...
I'd be _very_ grateful for any pointers on this...
Why is the DN form so important to you?
Regards, Buchan
On 01/13/12 00:30 +0100, Mathias wrote:
Hi,
I have trouble understanding a rather simple LDAP config issue that I'm sure someone on this list can easily help with:
How do I add a (or change the) pattern of the bind DN that slapd lets me authenticate with?
I have a working slapd setup that I can happily bind to using DNs of the form "cn=Bob Parr,dc=example,dc=com". However, all accounts also have a unique "uid" attribute that I would like to use in addition to (or, if not possible, instead of) the "cn"-based RDN for binding. So, I'd like to (also) bind using the DN "uid=bob,dc=example,dc=com". My understanding is that one entry can have several DNs as long as each one is unambiguous. Shouldn't I be able to bind with anyone of these?
I have spent hours on searching for documentation on this and turned up surprisingly little. The problem is not an ACL issue since the logged error when trying a "uid"-based bind is "DB_NOTFOUND: No matching key/data pair found" rather than anything else...
I'd be _very_ grateful for any pointers on this...
Cheers, Mathias
Each entry within your tree has a unique DN which must be used when performing simple binds. If you'd like to change the DN, you can use the ldapmodrdn utility:
ldapmodrdn -x -D "your admin DN" "cn=Bob Parr,dc=example,dc=com" "uid=bob"
which would rename your DN for that entry. The DN will of course need to be unique. You could not have two uid=bob entries, under the same hierarchy.
If you need more flexibility in mapping authentication identities to DNs, try using SASL.
openldap-technical@openldap.org
-
Buchan Milne -
Dan White -
Dieter Klünter -
Mathias