directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <>
Subject Re: Binding with enything but a dn?
Date Fri, 04 Aug 2006 15:24:38 GMT
Jörg Henne wrote:
> Alex Karasulu schrieb:
>> Interesting idea.  As far as having to do a search we're still going 
>> to have to lookup something to perform the authentication on bind.  
>> Even if we're looking up the user on the native OS or in the server's 
>> DIT we still have some kind of search in effect.  Using native OS 
>> authentication is a different matter in itself.
>> We could implement this kind of authentication name format by trying 
>> to detect the syntax and then appropriately transforming the name into 
>> a DN based on the domain to dn mapping in RFC 3088.  See section 2.1 
>> of [0] for a means to convert a DN to a domain name and vice versa.
>> This way principal or\jhenne would be 
>> transformed to uid=jhenne,dc=apache,dc=org before proceeding with the 
>> bind operation.
>> How does this sound?
> that's roughly what I am thinking of. However, a simple mapping is mist 
> likely not enough, since there may not be a 1:1 mapping from the 
> specified name to the DN to bind with (e.g. users spread over several 
> OUs may well share the same domain). 

You mean the principal's entry may be in some place in the directory 
which does not follow the domain to DN mapping I guess.  Like ... really being in uid=jhenne,ou=users,dc=apache,dc=org

Yes, yes, this is a reasonable conclusion.

I was thinking about the following
> algorithm:
> 1. map the specified name to a base dn, like in your example. This might 
> be up to a specialized authentication module.
> 2. search this base dn for matching users
> 3. bind using this user's DN.
> You are right, of course, that the search still needs to be carried out. 
> However, we're saving a network round-trip.

We might want to look at making a custom SASL mechanism to do this as well.


View raw message