directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kiran Ayyagari <>
Subject Re: SASL and full DN
Date Sat, 21 May 2011 07:03:21 GMT
AFAIK using full DN won't work for SASL it requires just the RDN value
(i.e username/userid)

On Fri, May 20, 2011 at 7:36 AM, Mathias Clerc <> wrote:
> Hello,
> I have one question but as I am fairly new to LDAP as a whole it may
> be difficult for you to understand me.
> My users have the following structure :
> uid=user,ou=people,ou=division,o=company
> I have a user "user1" in "division1" and a user "user1" in
> "division2". Both users are different.
> When I do a simple login, I can login to whichever I want using the
> full DN uid=user1,ou=people,ou=division1,o=company or
> uid=user1,ou=people,ou=division2,o=company
> To make login easier for the users, I use the following algorythm
> (idea is from apache DS guide) :
> 1) login as a special account
> 2) run a search (&(objectclass=userClass)(uid=username)) with a root
> at o=company
> 3) try to connect to each user found, use the first succefull login as
> current login or send an error if it was not possible to log in with
> any account
> This works perfectly until I use SASL. When I connect wit SASL and a
> searchBaseDn set to o=company I can not give a full DN or a DN
> relative to the search base.
> I can log in by using "user1" id, but the following happens :
> uid:user1, password:the one for user1 in division1 : failure
> uid:user1, password:the one for user1 in division2 : success
> Is it possible to authenticate with SASL using full DN ?
> Or is it possible to have SASL+LDAP make a distinction between both account ?
> Or is it possible to have SASL+LDAP try each user found against the
> password (and not just try one returned randomly) ?
> Or is my setup broken ?
> Thank you

Kiran Ayyagari

View raw message