directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <aok...@bellsouth.net>
Subject Re: Binding with enything but a dn?
Date Fri, 04 Aug 2006 13:01:26 GMT
Jörg Henne wrote:
> Hi all,
> 
> MS Active Directory supports the use at least two forms ob Bind-DNs, 
> which are not precisely DNs:
> - domain\username
> - username@dom.ain
> 
> The way DS is currently implemented, there is no way to let an 
> authenticator support principal names which are not in DN format, 
> because the DN format of the principal is enforced very early on in the 
> protocol handler.
> 
> The way clients usually authenticate users seems to be
> - search for the user using either an anonymous bind or an 
> administrative user id
> - use the retrieved DN to attempt a bind using the supplied credentials.
> 
> Allowing non-DN format bind DNs would have two benefits IMHO:
> - let AD become more MSAD compatible
> - allow for more efficient authentication by getting rid of the extra 
> search.
> 
> WDYT?

Interesting idea.  As far as having to do a search we're still going to 
have to lookup something to perform the authentication on bind.  Even if 
we're looking up the user on the native OS or in the server's DIT we 
still have some kind of search in effect.  Using native OS 
authentication is a different matter in itself.

We could implement this kind of authentication name format by trying to 
detect the syntax and then appropriately transforming the name into a DN 
based on the domain to dn mapping in RFC 3088.  See section 2.1 of [0] 
for a means to convert a DN to a domain name and vice versa.

This way principal jhenne@apache.org or apache.org\jhenne would be 
transformed to uid=jhenne,dc=apache,dc=org before proceeding with the 
bind operation.

How does this sound?

Alex

-----
[0] - http://www.apps.ietf.org/rfc/rfc3088.html

Mime
View raw message