directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Willeke <...@willeke.com>
Subject Re: SASL and full DN
Date Sat, 21 May 2011 08:49:30 GMT
Most LDAP implementations use only the RND or the uid value.
Looks like:
http://directory.apache.org/apacheds/1.5/21-sasl-authentication-to-apacheds.html
Username is matched to 'uid' under a base DN depending on the SASL
mechanism being used.

-jim
Jim Willeke


On Sat, May 21, 2011 at 3:03 AM, Kiran Ayyagari <kayyagari@apache.org> wrote:
>
> AFAIK using full DN won't work for SASL it requires just the RDN value
> (i.e username/userid)
>
> On Fri, May 20, 2011 at 7:36 AM, Mathias Clerc <tlarhices@gmail.com> wrote:
> > Hello,
> >
> > I have one question but as I am fairly new to LDAP as a whole it may
> > be difficult for you to understand me.
> >
> > My users have the following structure :
> > uid=user,ou=people,ou=division,o=company
> >
> > I have a user "user1" in "division1" and a user "user1" in
> > "division2". Both users are different.
> >
> > When I do a simple login, I can login to whichever I want using the
> > full DN uid=user1,ou=people,ou=division1,o=company or
> > uid=user1,ou=people,ou=division2,o=company
> >
> > To make login easier for the users, I use the following algorythm
> > (idea is from apache DS guide) :
> > 1) login as a special account
> > 2) run a search (&(objectclass=userClass)(uid=username)) with a root
> > at o=company
> > 3) try to connect to each user found, use the first succefull login as
> > current login or send an error if it was not possible to log in with
> > any account
> >
> > This works perfectly until I use SASL. When I connect wit SASL and a
> > searchBaseDn set to o=company I can not give a full DN or a DN
> > relative to the search base.
> > I can log in by using "user1" id, but the following happens :
> > uid:user1, password:the one for user1 in division1 : failure
> > uid:user1, password:the one for user1 in division2 : success
> >
> > Is it possible to authenticate with SASL using full DN ?
> > Or is it possible to have SASL+LDAP make a distinction between both account ?
> > Or is it possible to have SASL+LDAP try each user found against the
> > password (and not just try one returned randomly) ?
> > Or is my setup broken ?
> >
> > Thank you
> >
>
>
>
> --
> Kiran Ayyagari

Mime
View raw message