directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jörg Henne <j.he...@levigo.de>
Subject Re: Binding with enything but a dn?
Date Fri, 04 Aug 2006 15:43:00 GMT
Alex Karasulu schrieb:
> Jörg Henne wrote:
>> Alex Karasulu schrieb:
>>> Interesting idea.  As far as having to do a search we're still going 
>>> to have to lookup something to perform the authentication on bind.  
>>> Even if we're looking up the user on the native OS or in the 
>>> server's DIT we still have some kind of search in effect.  Using 
>>> native OS authentication is a different matter in itself.
>>>
>>> We could implement this kind of authentication name format by trying 
>>> to detect the syntax and then appropriately transforming the name 
>>> into a DN based on the domain to dn mapping in RFC 3088.  See 
>>> section 2.1 of [0] for a means to convert a DN to a domain name and 
>>> vice versa.
>>>
>>> This way principal jhenne@apache.org or apache.org\jhenne would be 
>>> transformed to uid=jhenne,dc=apache,dc=org before proceeding with 
>>> the bind operation.
>>>
>>> How does this sound?
>> that's roughly what I am thinking of. However, a simple mapping is 
>> mist likely not enough, since there may not be a 1:1 mapping from the 
>> specified name to the DN to bind with (e.g. users spread over several 
>> OUs may well share the same domain). 
>
> You mean the principal's entry may be in some place in the directory 
> which does not follow the domain to DN mapping I guess.  Like ...
>
> jhenne@apache.org really being in uid=jhenne,ou=users,dc=apache,dc=org
>
> Yes, yes, this is a reasonable conclusion.
Yup, excactly. That's the way out MSADS is set up.

Joerg Henne

Mime
View raw message