directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ersin Er <ersin...@gmail.com>
Subject Re: Binding with enything but a dn?
Date Fri, 04 Aug 2006 15:24:38 GMT
Alex Karasulu wrote:
> Jörg Henne wrote:
>> Hi all,
>>
>> MS Active Directory supports the use at least two forms ob Bind-DNs, 
>> which are not precisely DNs:
>> - domain\username
>> - username@dom.ain
>>
>> The way DS is currently implemented, there is no way to let an 
>> authenticator support principal names which are not in DN format, 
>> because the DN format of the principal is enforced very early on in 
>> the protocol handler.
>>
>> The way clients usually authenticate users seems to be
>> - search for the user using either an anonymous bind or an 
>> administrative user id
>> - use the retrieved DN to attempt a bind using the supplied credentials.
>>
>> Allowing non-DN format bind DNs would have two benefits IMHO:
>> - let AD become more MSAD compatible
>> - allow for more efficient authentication by getting rid of the extra 
>> search.
>>
>> WDYT?
>
> Interesting idea.  As far as having to do a search we're still going 
> to have to lookup something to perform the authentication on bind.  
> Even if we're looking up the user on the native OS or in the server's 
> DIT we still have some kind of search in effect.  Using native OS 
> authentication is a different matter in itself.
>
> We could implement this kind of authentication name format by trying 
> to detect the syntax and then appropriately transforming the name into 
> a DN based on the domain to dn mapping in RFC 3088.  See section 2.1 
> of [0] for a means to convert a DN to a domain name and vice versa.
>
> This way principal jhenne@apache.org or apache.org\jhenne would be 
> transformed to uid=jhenne,dc=apache,dc=org before proceeding with the 
> bind operation.
>
> How does this sound?
>
> Alex
>
> -----
> [0] - http://www.apps.ietf.org/rfc/rfc3088.html
>
RFC 3062 [1] also relates to this topic in the context of non-DN user names.

-- 
Ersin

[1] http://tools.ietf.org/html/rfc3062

Mime
View raw message