Return-Path: Delivered-To: apmail-directory-dev-archive@www.apache.org Received: (qmail 53962 invoked from network); 4 Aug 2006 13:00:31 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 4 Aug 2006 13:00:31 -0000 Received: (qmail 25149 invoked by uid 500); 4 Aug 2006 13:00:30 -0000 Delivered-To: apmail-directory-dev-archive@directory.apache.org Received: (qmail 25123 invoked by uid 500); 4 Aug 2006 13:00:30 -0000 Mailing-List: contact dev-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Apache Directory Developers List" Delivered-To: mailing list dev@directory.apache.org Received: (qmail 25112 invoked by uid 99); 4 Aug 2006 13:00:30 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Aug 2006 06:00:30 -0700 X-ASF-Spam-Status: No, hits=1.9 required=10.0 tests=DNS_FROM_RFC_ABUSE,DNS_FROM_RFC_POST,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of aok123@bellsouth.net designates 205.152.59.70 as permitted sender) Received: from [205.152.59.70] (HELO imf22aec.mail.bellsouth.net) (205.152.59.70) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 04 Aug 2006 06:00:28 -0700 Received: from ibm67aec.bellsouth.net ([65.80.200.112]) by imf22aec.mail.bellsouth.net with ESMTP id <20060804130007.VHSH1011.imf22aec.mail.bellsouth.net@ibm67aec.bellsouth.net> for ; Fri, 4 Aug 2006 09:00:07 -0400 Received: from [172.16.1.7] (really [65.80.200.112]) by ibm67aec.bellsouth.net with ESMTP id <20060804130007.MTMZ18082.ibm67aec.bellsouth.net@[172.16.1.7]> for ; Fri, 4 Aug 2006 09:00:07 -0400 Message-ID: <44D34526.5090005@bellsouth.net> Date: Fri, 04 Aug 2006 09:01:26 -0400 From: Alex Karasulu User-Agent: Thunderbird 1.5.0.5 (X11/20060728) MIME-Version: 1.0 To: Apache Directory Developers List Subject: Re: Binding with enything but a dn? References: <44D31343.1010601@levigo.de> In-Reply-To: <44D31343.1010601@levigo.de> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N J�rg Henne wrote: > Hi all, > > MS Active Directory supports the use at least two forms ob Bind-DNs, > which are not precisely DNs: > - domain\username > - username@dom.ain > > The way DS is currently implemented, there is no way to let an > authenticator support principal names which are not in DN format, > because the DN format of the principal is enforced very early on in the > protocol handler. > > The way clients usually authenticate users seems to be > - search for the user using either an anonymous bind or an > administrative user id > - use the retrieved DN to attempt a bind using the supplied credentials. > > Allowing non-DN format bind DNs would have two benefits IMHO: > - let AD become more MSAD compatible > - allow for more efficient authentication by getting rid of the extra > search. > > WDYT? Interesting idea. As far as having to do a search we're still going to have to lookup something to perform the authentication on bind. Even if we're looking up the user on the native OS or in the server's DIT we still have some kind of search in effect. Using native OS authentication is a different matter in itself. We could implement this kind of authentication name format by trying to detect the syntax and then appropriately transforming the name into a DN based on the domain to dn mapping in RFC 3088. See section 2.1 of [0] for a means to convert a DN to a domain name and vice versa. This way principal jhenne@apache.org or apache.org\jhenne would be transformed to uid=jhenne,dc=apache,dc=org before proceeding with the bind operation. How does this sound? Alex ----- [0] - http://www.apps.ietf.org/rfc/rfc3088.html