directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jörg Henne <j.he...@levigo.de>
Subject Re: Binding with enything but a dn?
Date Fri, 04 Aug 2006 13:14:53 GMT
Alex Karasulu schrieb:
> Interesting idea.  As far as having to do a search we're still going 
> to have to lookup something to perform the authentication on bind.  
> Even if we're looking up the user on the native OS or in the server's 
> DIT we still have some kind of search in effect.  Using native OS 
> authentication is a different matter in itself.
>
> We could implement this kind of authentication name format by trying 
> to detect the syntax and then appropriately transforming the name into 
> a DN based on the domain to dn mapping in RFC 3088.  See section 2.1 
> of [0] for a means to convert a DN to a domain name and vice versa.
>
> This way principal jhenne@apache.org or apache.org\jhenne would be 
> transformed to uid=jhenne,dc=apache,dc=org before proceeding with the 
> bind operation.
>
> How does this sound?
that's roughly what I am thinking of. However, a simple mapping is mist 
likely not enough, since there may not be a 1:1 mapping from the 
specified name to the DN to bind with (e.g. users spread over several 
OUs may well share the same domain). I was thinking about the following 
algorithm:
1. map the specified name to a base dn, like in your example. This might 
be up to a specialized authentication module.
2. search this base dn for matching users
3. bind using this user's DN.

You are right, of course, that the search still needs to be carried out. 
However, we're saving a network round-trip.

Joerg Henne

Mime
View raw message