3:30 p.m.
Hi,
I have trouble understanding a rather simple LDAP config issue that
I'm sure someone on this list can easily help with:
How do I add a (or change the) pattern of the bind DN that slapd lets
me authenticate with?
I have a working slapd setup that I can happily bind to using DNs of
the form "cn=Bob Parr,dc=example,dc=com". However, all accounts also
have a unique "uid" attribute that I would like to use in addition to
(or, if not possible, instead of) the "cn"-based RDN for binding.
So, I'd like to (also) bind using the DN "uid=bob,dc=example,dc=com".
My understanding is that one entry can have several DNs as long as
each one is unambiguous. Shouldn't I be able to bind with anyone of
these?
I have spent hours on searching for documentation on this and turned
up surprisingly little. The problem is not an ACL issue since the
logged error when trying a "uid"-based bind is "DB_NOTFOUND: No
matching key/data pair found" rather than anything else...
I'd be _very_ grateful for any pointers on this...
Cheers,
Mathias
11:34 p.m.
Am Fri, 13 Jan 2012 00:30:59 +0100
schrieb Mathias <openldap.org(a)postb0x.com>:
Hi,
I have trouble understanding a rather simple LDAP config issue that
I'm sure someone on this list can easily help with:
How do I add a (or change the) pattern of the bind DN that slapd lets
me authenticate with?
I have a working slapd setup that I can happily bind to using DNs of
the form "cn=Bob Parr,dc=example,dc=com". However, all accounts also
have a unique "uid" attribute that I would like to use in addition to
(or, if not possible, instead of) the "cn"-based RDN for binding.
So, I'd like to (also) bind using the DN "uid=bob,dc=example,dc=com".
My understanding is that one entry can have several DNs as long as
each one is unambiguous. Shouldn't I be able to bind with anyone of
these?
You could create an entry with distinguished name
uid=bob,dc=example,dc=com
but I would advise not to do so. Instead configure
olcAuthRegexp accordingly and do a sasl bind.
[...]
-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E
1:09 a.m.
On Friday, 13 January 2012 01:30:59 Mathias wrote:
Hi,
I have trouble understanding a rather simple LDAP config issue that
I'm sure someone on this list can easily help with:
How do I add a (or change the) pattern of the bind DN that slapd lets
me authenticate with?
I have a working slapd setup that I can happily bind to using DNs of
the form "cn=Bob Parr,dc=example,dc=com". However, all accounts also
have a unique "uid" attribute that I would like to use in addition to
(or, if not possible, instead of) the "cn"-based RDN for binding.
The DN should not be relevant to end-users. Applications using simple binds
should be configurable on which attribute to search on to identify the DN with
which to bind. DN construction, or other methods should be avoided.
So, I'd like to (also) bind using the DN
"uid=bob,dc=example,dc=com".
My understanding is that one entry can have several DNs as long as
each one is unambiguous.
False.
Shouldn't I be able to bind with anyone of
these?
An entry has one DN.
You may be able to rewrite DNs from one form to another, but then why not just
configure your applications correctly?
I have spent hours on searching for documentation on this and turned
up surprisingly little. The problem is not an ACL issue since the
logged error when trying a "uid"-based bind is "DB_NOTFOUND: No
matching key/data pair found" rather than anything else...
I'd be _very_ grateful for any pointers on this...
Why is the DN form so important to you?
Regards,
Buchan
7:25 a.m.
On 01/13/12 00:30 +0100, Mathias wrote:
Hi,
I have trouble understanding a rather simple LDAP config issue that
I'm sure someone on this list can easily help with:
How do I add a (or change the) pattern of the bind DN that slapd lets
me authenticate with?
I have a working slapd setup that I can happily bind to using DNs of
the form "cn=Bob Parr,dc=example,dc=com". However, all accounts also
have a unique "uid" attribute that I would like to use in addition to
(or, if not possible, instead of) the "cn"-based RDN for binding.
So, I'd like to (also) bind using the DN "uid=bob,dc=example,dc=com".
My understanding is that one entry can have several DNs as long as
each one is unambiguous. Shouldn't I be able to bind with anyone of
these?
I have spent hours on searching for documentation on this and turned
up surprisingly little. The problem is not an ACL issue since the
logged error when trying a "uid"-based bind is "DB_NOTFOUND: No
matching key/data pair found" rather than anything else...
I'd be _very_ grateful for any pointers on this...
Cheers,
Mathias
Each entry within your tree has a unique DN which must be used when
performing simple binds. If you'd like to change the DN, you can use the
ldapmodrdn utility:
ldapmodrdn -x -D "your admin DN" "cn=Bob Parr,dc=example,dc=com"
"uid=bob"
which would rename your DN for that entry. The DN will of course need to be
unique. You could not have two uid=bob entries, under the same hierarchy.
If you need more flexibility in mapping authentication identities to DNs,
try using SASL.
--
Dan White
4165
days inactive
4166
days old
openldap-technical@openldap.org
3 comments
4 participants
participants (4)
-
Buchan Milne -
Dan White -
Dieter Klünter -
Mathias