Hello,
I have such RDN
cn=user1,dc=example,dc=com
but my webmail software knows users only by emails (which is attribute to
cn=user1,dc=example,dc=com)
My question is how can i authenticate in LDAP using provided email? I tried sth like mail=test@example.com,dc=example,dc=com but ldap refuses such login.
Thanks in advance for help
Greets Pawel
On Sun, 7 Jun 2009, Paweł Madej wrote:
Hello,
I have such RDN
cn=user1,dc=example,dc=com
but my webmail software knows users only by emails (which is attribute to
cn=user1,dc=example,dc=com)
My question is how can i authenticate in LDAP using provided email? I tried sth like mail=test@example.com,dc=example,dc=com but ldap refuses such login.
Thanks in advance for help
Greets Pawel
First and simple solution is to setup cn value exactly the same as "mail" value, or, even simplier, use "mail=user1@domain.com" as RDN element. You could also use ldap proxy to map mail attribute to cn attribute (or reverse) in virtual directory.
However, the nature of email address is, that probably two different users may have the same address (group alias), and more than one address can direct mail to the same final user. So, using mail as RDN is probably not a wise solution.
Probably the best effect you'll got if you make some simple modification to webmail software You use, to "translate" email address a user puts into "login" field into a value, which will be used for authentication purposes. Or, you can play with sasl, kerberos and realms regarding the domain name.
Regards, P.
Hello,
Thanks for comments
If my LDAP directory was only for that email i could do this, because even webmail developers recomend use of mail in RDN (roundcube webmail). but I plan to have rather wider use of DIT so cn=user1,dc=example,dc=com is easiest solution for me.
maybe are there in LDAP some aliases which I could use to map email to user? email is in my case rather unique per user.
Greets Pawel
On Sun, 7 Jun 2009 14:37:39 +0200 (CEST), Piotr Wadas pwadas@dtpw.pl wrote:
On Sun, 7 Jun 2009, Paweł Madej wrote:
Hello,
I have such RDN
cn=user1,dc=example,dc=com
but my webmail software knows users only by emails (which is attribute
to
cn=user1,dc=example,dc=com)
My question is how can i authenticate in LDAP using provided email? I tried sth like mail=test@example.com,dc=example,dc=com but ldap refuses such login.
Thanks in advance for help
Greets Pawel
First and simple solution is to setup cn value exactly the same as "mail" value, or, even simplier, use "mail=user1@domain.com" as RDN element. You could also use ldap proxy to map mail attribute to cn attribute (or reverse) in virtual directory.
However, the nature of email address is, that probably two different users may have the same address (group alias), and more than one address can direct mail to the same final user. So, using mail as RDN is probably not a wise solution.
Probably the best effect you'll got if you make some simple modification to webmail software You use, to "translate" email address a user puts into "login" field into a value, which will be used for authentication purposes. Or, you can play with sasl, kerberos and realms regarding the domain name.
Regards, P.
On Sun, 7 Jun 2009, Paweł Madej wrote:
Hello,
Thanks for comments
If my LDAP directory was only for that email i could do this, because even webmail developers recomend use of mail in RDN (roundcube webmail). but I plan to have rather wider use of DIT so cn=user1,dc=example,dc=com is easiest solution for me.
maybe are there in LDAP some aliases which I could use to map email to user? email is in my case rather unique per user.
Greets Pawel
On Sun, 7 Jun 2009 14:37:39 +0200 (CEST), Piotr Wadas pwadas@dtpw.pl
First and simple solution is to setup cn value exactly the same as "mail" value, or, even simplier, use "mail=user1@domain.com" as RDN element. You could also use ldap proxy to map mail attribute to cn attribute (or reverse) in virtual directory.
Like said - consider a ldapproxy, e.g. man slapd-meta && man slapd-ldap && man slapo-rwm. Probably "ldap aliases" you mean are called referrals (?)
P.
I'm new to LDAP syntax and features names I mean to mail=test1@example.com,dc=example,dc=com to point to cn=user1,dc=example,dc=com.
I'll look at what you tell me and if not catch the point write again.
Greets Pawel
On Sun, 7 Jun 2009 14:59:58 +0200 (CEST), Piotr Wadas pwadas@dtpw.pl wrote:
On Sun, 7 Jun 2009, Paweł Madej wrote:
Hello,
Thanks for comments
If my LDAP directory was only for that email i could do this, because even webmail developers recomend use of mail in RDN (roundcube webmail). but
I
plan to have rather wider use of DIT so cn=user1,dc=example,dc=com is easiest solution for me.
maybe are there in LDAP some aliases which I could use to map email to user? email is in my case rather unique per user.
Greets Pawel
On Sun, 7 Jun 2009 14:37:39 +0200 (CEST), Piotr Wadas pwadas@dtpw.pl
First and simple solution is to setup cn value exactly the same as "mail" value, or, even simplier, use "mail=user1@domain.com" as RDN element. You could also use ldap proxy to map mail attribute to cn attribute (or reverse) in virtual directory.
Like said - consider a ldapproxy, e.g. man slapd-meta && man slapd-ldap && man slapo-rwm. Probably "ldap aliases" you mean are called referrals (?)
P.
On Sunday 07 June 2009 10:12:41 Paweł Madej wrote:
Hello,
I have such RDN
cn=user1,dc=example,dc=com
but my webmail software knows users only by emails (which is attribute to
cn=user1,dc=example,dc=com)
My question is how can i authenticate in LDAP using provided email?
Why do you *think* you need to do this? What (inadequate regarding LDAP) software has a requirement like this? Typically, any LDAP-using application should be able to authenticate any entry on any attribute you choose, as typical operation of an LDAP-using application for authentication is:
1)Bind as a DN allowed to search for a user 2)Search for a user using a configurable search filter, and retrieve the DN (at least) 3)Using the password the user supplied, do a simple bind as the DN from (2).
If you have software trying to do DN construction from the username the user supplied, I would recommend you return this to the vendor and find better software (or, file bug reports to have the software fixed).
I tried sth like mail=test@example.com,dc=example,dc=com but ldap refuses such login.
Why should it? The RDN isn't the only attribute on the DN ....
Regards, Buchan
The software I try to use is Roundcube webmail, i log to it to read email using full email address and password. It provides backend for ldap addressbook so and can provide for ldap binding full email or only username (part before @) and password from email logging.
As I'm new to LDAP at all so I don't know how to create login DN for this to use email attribute of users to authenticate. I cannot tell you if this software architecture is invalid because I have too little knowledge in this topic.
Anyway thank you for your comments.
Greets Pawel.
On Tue, 9 Jun 2009 18:46:07 +0200, Buchan Milne bgmilne@staff.telkomsa.net wrote:
On Sunday 07 June 2009 10:12:41 Paweł Madej wrote:
Hello,
I have such RDN
cn=user1,dc=example,dc=com
but my webmail software knows users only by emails (which is attribute
to
cn=user1,dc=example,dc=com)
My question is how can i authenticate in LDAP using provided email?
Why do you *think* you need to do this? What (inadequate regarding LDAP) software has a requirement like this? Typically, any LDAP-using
application
should be able to authenticate any entry on any attribute you choose, as typical operation of an LDAP-using application for authentication is:
1)Bind as a DN allowed to search for a user 2)Search for a user using a configurable search filter, and retrieve the
DN
(at least) 3)Using the password the user supplied, do a simple bind as the DN from (2).
If you have software trying to do DN construction from the username the user supplied, I would recommend you return this to the vendor and find better
software (or, file bug reports to have the software fixed).
I tried sth like mail=test@example.com,dc=example,dc=com but ldap refuses such login.
Why should it? The RDN isn't the only attribute on the DN ....
Regards, Buchan
On Tuesday 09 June 2009 20:13:15 Paweł Madej wrote:
The software I try to use is Roundcube webmail, i log to it to read email using full email address and password. It provides backend for ldap addressbook so and can provide for ldap binding full email or only username (part before @) and password from email logging.
Where do you "provide" the "full email" or "only username"? What does it do with these.
As I'm new to LDAP at all so I don't know how to create login DN for this to use email attribute of users to authenticate. I cannot tell you if this software architecture is invalid because I have too little knowledge in this topic.
Well, I can't find much documentation on roundcube, http://trac.roundcube.net/wiki/Howto_Config is very thin. Since I don't care to install the software, maybe you can provide some more information on how you are configuring it, what the configuration statements available are, and any comments near the configuration statement that can help give us a clue as to how the software is supposed to work ...
Regards, Buchan
To not spam to much this list i've pasted roundcube webmail LDAP part here http://pastebin.com/m6ba78ab4
and below problematic part
------------------------------------ 'user_specific' => true, // If true the base_dn, bind_dn and bind_pass // default to the user's IMAP login. // %fu - The full username provided, assumes the username is an email // address, uses the username_domain value if not an email address. // %u - The username prior to the '@'. // %d - The domain name after the '@'. 'base_dn' => '', 'bind_dn' => '', 'bind_pass' => '', -------------------------------------
so if i do not define bind_dn it defaults to user mail (user@example.com) if bind_pass is not defined it defaults to password which user used to login to mailbox
my example LDAP tree for private addressbook
ou=addressbook,cn=Johny Cash,ou=people,dc=example,dc=com he has that attributes mail=johny@example.com userpassword=testpassword
so if i tried this configuration:
'base_dn' => 'ou=addressbook,mail=%fu,ou=people,dc=example,dc=com', 'bind_dn' => 'mail=%fu,ou=people,dc=example,dc=com',
it do not work and in log i have
----------------------------------- Jun 10 12:27:45 eleanor slapd[8132]: conn=17 fd=14 ACCEPT from IP=127.0.0.1:36004 (IP=0.0.0.0:389) Jun 10 12:27:45 eleanor slapd[8132]: conn=17 op=0 BIND dn="mail=johny@example.com,ou=people,dc=example,dc=com" method=128 Jun 10 12:27:45 eleanor slapd[8132]: conn=17 op=0 RESULT tag=97 err=49 text= Jun 10 12:27:45 eleanor slapd[8132]: conn=17 op=1 UNBIND Jun 10 12:27:45 eleanor slapd[8132]: conn=17 fd=14 closed ----------------------------------
I have no idea if this is possible to work, and do you?
Thanks and Greets Pawel
On Wed, Jun 10, 2009 at 12:31:56PM +0200, Paweł Madej wrote:
To not spam to much this list i've pasted roundcube webmail LDAP part here http://pastebin.com/m6ba78ab4
It looks to me as if the per-user private addressbook facility requires a specific DIT structure with the username in the DN. This is very restrictive, so I suggest asking the developers to change it.
A more general solution requires something like this:
A 'system' DN and password to bind to the directory before we have verified the user. In some cases this search can be anonymous, but in others anon would be blocked by access-control policy.
A base DN from which to start a subtree search to find the user entry.
A configurable search spec to find user entries. In your case, this might say something like: (&(objectclass=account)(mail=%fu)) [Note the use of objectclass to prevent it from finding addressbook entries: we only want the main account entry at this stage]
Having found the user entry, the application should re-bind as the user for access to addressbooks etc.
For per-user addressbooks, you then want to prepend an optional RDN component to the user DN (e.g. cn=addressbook) and build the addressbook entries below that. I would suggest using a meaningless random number as the RDN of each entry.
Note that the use of search means that the DIT structure is not constrained by the application.
Andrew
openldap-technical@openldap.org
-
Andrew Findlay -
Buchan Milne -
Paweł Madej -
Piotr Wadas