Alex Karasulu wrote:
> Jörg Henne wrote:
>> Hi all,
>>
>> MS Active Directory supports the use at least two forms ob Bind-DNs,
>> which are not precisely DNs:
>> - domain\username
>> - username@dom.ain
>>
>> The way DS is currently implemented, there is no way to let an
>> authenticator support principal names which are not in DN format,
>> because the DN format of the principal is enforced very early on in
>> the protocol handler.
>>
>> The way clients usually authenticate users seems to be
>> - search for the user using either an anonymous bind or an
>> administrative user id
>> - use the retrieved DN to attempt a bind using the supplied credentials.
>>
>> Allowing non-DN format bind DNs would have two benefits IMHO:
>> - let AD become more MSAD compatible
>> - allow for more efficient authentication by getting rid of the extra
>> search.
>>
>> WDYT?
>
> Interesting idea. As far as having to do a search we're still going
> to have to lookup something to perform the authentication on bind.
> Even if we're looking up the user on the native OS or in the server's
> DIT we still have some kind of search in effect. Using native OS
> authentication is a different matter in itself.
>
> We could implement this kind of authentication name format by trying
> to detect the syntax and then appropriately transforming the name into
> a DN based on the domain to dn mapping in RFC 3088. See section 2.1
> of [0] for a means to convert a DN to a domain name and vice versa.
>
> This way principal jhenne@apache.org or apache.org\jhenne would be
> transformed to uid=jhenne,dc=apache,dc=org before proceeding with the
> bind operation.
>
> How does this sound?
>
> Alex
>
> -----
> [0] - http://www.apps.ietf.org/rfc/rfc3088.html
>
RFC 3062 [1] also relates to this topic in the context of non-DN user names.
--
Ersin
[1] http://tools.ietf.org/html/rfc3062
|