directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mathias Clerc <tlarhi...@gmail.com>
Subject SASL and full DN
Date Fri, 20 May 2011 02:06:23 GMT
Hello,

I have one question but as I am fairly new to LDAP as a whole it may
be difficult for you to understand me.

My users have the following structure :
uid=user,ou=people,ou=division,o=company

I have a user "user1" in "division1" and a user "user1" in
"division2". Both users are different.

When I do a simple login, I can login to whichever I want using the
full DN uid=user1,ou=people,ou=division1,o=company or
uid=user1,ou=people,ou=division2,o=company

To make login easier for the users, I use the following algorythm
(idea is from apache DS guide) :
1) login as a special account
2) run a search (&(objectclass=userClass)(uid=username)) with a root
at o=company
3) try to connect to each user found, use the first succefull login as
current login or send an error if it was not possible to log in with
any account

This works perfectly until I use SASL. When I connect wit SASL and a
searchBaseDn set to o=company I can not give a full DN or a DN
relative to the search base.
I can log in by using "user1" id, but the following happens :
uid:user1, password:the one for user1 in division1 : failure
uid:user1, password:the one for user1 in division2 : success

Is it possible to authenticate with SASL using full DN ?
Or is it possible to have SASL+LDAP make a distinction between both account ?
Or is it possible to have SASL+LDAP try each user found against the
password (and not just try one returned randomly) ?
Or is my setup broken ?

Thank you

Mime
View raw message