directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Karasulu" <akaras...@apache.org>
Subject Re: YNT: Automatic Authentication
Date Thu, 25 Sep 2008 22:10:37 GMT
There is no simple username it must be a DN at this point in time.  We could
build in a mechanism for automatically doing the search for you for the user
and then substituting the found entry DN into the bind dn to process the
authentication.  But this takes some effort to implement.

Alex

2008/9/25 Tolga YURDAKUL <ctolga@aselsan.com.tr>

> Thank you for your quick answer.
> I am new to LDAP protocol so I may have expressed the situation wrong.
> But the only way I know the client gets the DN for a user is to bind as
> admin and get the user DN from the server.
> So I need the admin password at the client side.
>
> My question is; how can I authenticate a user entering username and
> password at the client side to an Apache Directory Server without using
> admin password?
>
> Tolga.
>
>
>
>
>
>
>
> ________________________________
>
> Kimden: akarasulu@gmail.com bu kişinin yerine: Alex Karasulu
> Gönderilmiş: Per 25.09.2008 17:05
> Kime: users@directory.apache.org
> Konu: Re: Automatic Authentication
>
>
>
> Hi Tolga,
>
> On Thu, Sep 25, 2008 at 9:04 AM, Tolga YURDAKUL <ctolga@aselsan.com.tr
> >wrote:
>
> > Hi,
> >
> > We are comparing automatic authentication procedures with Active
> Directory
> > and Apache Directory Server.
> >
> > With Active Directory;
> > Automatic authentication is simple; you define a user with a "logonname"
> > and use this logonname and a password for the bind procedure, which ends
> up
> > successful if these two values match with the values stored in the
> server.
> >
>
> Note that Active Directory is a NOS directory.  AD intrinsically has a
> means
> to either automatically find or map domain\username to some user entry.  I
> guess this is what you mean by "Automatic Authentication".
>
> This AD specific behavior is not part of the LDAP protocol.  The protocol
> requires a DN for the bind DN.
>
>
> > With Apache Directory Server;
> > You have to use the users full Distinguished Name (DN) and a password for
> > the bind procedure. since the user at the client machine cannot know
> his/her
> > DN during the logon procedure, he/she enters a username and a password.
> The
> > JNDI bind code at the client machine first authenticates as
> admininstrator
> > to the server, searches for the user entry using the username as a
> filter,
> > if the user exists the DN is drawn to the client and used in the bind
> > procedure with the password the user entered before.
> > This is a workaround we have to use for automatic authentication.
> >
>
> We could create an AD compatibility mode that can be toggled in the
> configuration to allow ApacheDS to relax these protocol requirements: that
> is to take a none DN of the bind principal.  This however would require
> some
> work on the protocol frontend and some other changes in the internals where
> bind requests are handled.
>
> To summarize we can support this but the man power right now is spread
> thin.
>
>
> >
> > Is there a way to authenticate automatically to Apache Directory Server
> > directly with a logonname and a password just like it is with Active
> > Directory without having to use DN for authentication?
> >
>
> The short answer is no.  But as you see above it's a no brainer to
> implement
> this functionality.
>
> Alev
>
>
> > Tolga.
> > ######################################################################
> > Dikkat:
> >
> > Bu elektronik posta mesaji kisisel ve ozeldir. Eger size
> > gonderilmediyse lutfen gondericiyi bilgilendirip mesaji siliniz.
> > Firmamiza gelen ve giden mesajlar virus taramasindan gecirilmekte,
> > guvenlik nedeni ile kontrol edilerek saklanmaktadir. Mesajdaki
> > gorusler ve bakis acisi gondericiye ait olup Aselsan A.S. resmi
> > gorusu olmak zorunda degildir.
> >
> > ######################################################################
> > Attention:
> >
> > This e-mail message is privileged and confidential. If you are
> > not the intended recipient please delete the message and notify
> > the sender. E-mails to and from the company are monitored for
> > operational reasons and in accordance with lawful business practices.
> > Any views or opinions presented are solely those of the author and
> > do not necessarily represent the views of the company.
> >
> > ######################################################################
> >
>
>
> ######################################################################
> Dikkat:
>
> Bu elektronik posta mesaji kisisel ve ozeldir. Eger size
> gonderilmediyse lutfen gondericiyi bilgilendirip mesaji siliniz.
> Firmamiza gelen ve giden mesajlar virus taramasindan gecirilmekte,
> guvenlik nedeni ile kontrol edilerek saklanmaktadir. Mesajdaki
> gorusler ve bakis acisi gondericiye ait olup Aselsan A.S. resmi
> gorusu olmak zorunda degildir.
>
> ######################################################################
> Attention:
>
> This e-mail message is privileged and confidential. If you are
> not the intended recipient please delete the message and notify
> the sender. E-mails to and from the company are monitored for
> operational reasons and in accordance with lawful business practices.
> Any views or opinions presented are solely those of the author and
> do not necessarily represent the views of the company.
>
> ######################################################################
>
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message