On 6/2/21 12:11 PM, cyril.stoll@uzh.ch wrote:

Certain of our users can bind themselves i.e. web applications use the username and password of the user who wants to login to bind to the openldap server instead of using a dedicated bind user. This currently only works with the username which is also the dn of the object. All the objects have an attribute "mail" and I would like to offer the possibility to bind using the email address instead of the username. With the current configuration the servers responds to such a bind request with: ldap_bind: Invalid credentials (49)   Maybe I did not correctly interpret the man page slapd.access but as far as I understand it I should be able to solve this using dnattr=mail as the "who" part in the olcAccess. I did try it like this:   olcAccess: {4}to attrs=userPassword by dnattr=mail auth

This won't work.

1. Bear in mind there is no bound entity during processing a bind request. So only the who-clause referring/including 'anonymous' in userPassword-ACLs is relevant during processing the bind operation. A who-clause referring any other entity does not have any effect during processing a bind request.

2. A simple bind request MUST contain a valid DN. Only specifying a mail attribute value does not work. (MS AD has implemented proprietary simple bind processing accepting userPrincipalName value as bind-DN. But that's not covered by any standard.)

3. The dnattr= in a who-clause only works with attributes of LDAP Syntax DistinguishedName, not arbitrary other attributes.

Ciao, Michael.