directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jörg Henne <>
Subject Binding with enything but a dn?
Date Fri, 04 Aug 2006 09:28:35 GMT
Hi all,

MS Active Directory supports the use at least two forms ob Bind-DNs, 
which are not precisely DNs:
- domain\username
- username@dom.ain

The way DS is currently implemented, there is no way to let an 
authenticator support principal names which are not in DN format, 
because the DN format of the principal is enforced very early on in the 
protocol handler.

The way clients usually authenticate users seems to be
- search for the user using either an anonymous bind or an 
administrative user id
- use the retrieved DN to attempt a bind using the supplied credentials.

Allowing non-DN format bind DNs would have two benefits IMHO:
- let AD become more MSAD compatible
- allow for more efficient authentication by getting rid of the extra 


Joerg Henne

View raw message