Return-Path: X-Original-To: apmail-directory-users-archive@www.apache.org Delivered-To: apmail-directory-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9BE956AF2 for ; Fri, 20 May 2011 02:07:10 +0000 (UTC) Received: (qmail 88522 invoked by uid 500); 20 May 2011 02:07:10 -0000 Delivered-To: apmail-directory-users-archive@directory.apache.org Received: (qmail 88494 invoked by uid 500); 20 May 2011 02:07:10 -0000 Mailing-List: contact users-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@directory.apache.org Delivered-To: mailing list users@directory.apache.org Received: (qmail 88486 invoked by uid 99); 20 May 2011 02:07:10 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 May 2011 02:07:10 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,RFC_ABUSE_POST,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of tlarhices@gmail.com designates 209.85.161.178 as permitted sender) Received: from [209.85.161.178] (HELO mail-gx0-f178.google.com) (209.85.161.178) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 20 May 2011 02:07:04 +0000 Received: by gxk8 with SMTP id 8so1392985gxk.37 for ; Thu, 19 May 2011 19:06:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:from:date:message-id:subject:to :content-type; bh=G8fOlq9/04GKFhjYhOlit/+4DPmT9R+wI9TN7FRhK1E=; b=KHT3qh99lx5MuJdafvovg1XPuJ+p7ujEunfIoKFtzny8ucGWrseSM5qWPSVzb2dSu5 oni+Hvj0fLVBmbEgNmYBHyTSAI/o0FlyjO6q5KuMTGXiI+aX5C0ta8lMc4hB2SsyAX7w hIlyspwaBRnp4I2ya0SDvmVnC/WZshcy2ppnU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; b=L5bZ7kQ2Jhmgx0DtKn5Y4S7ryFGPM8WRy6W6iN7XIwvO9v8ekV/Q3WKSrEyR8+Mw1+ tbyDa5RCTTyRzSAT2N3T6A4kX2wCWWfaPyNxo+di9JacVV0uqikRCynwvCv7XOriSOmG Cp+RB2Aqd3p2Vs4vdhJiH9g9EmMoruXP0PqLU= Received: by 10.236.122.44 with SMTP id s32mr3964393yhh.382.1305857203124; Thu, 19 May 2011 19:06:43 -0700 (PDT) MIME-Version: 1.0 Received: by 10.236.108.48 with HTTP; Thu, 19 May 2011 19:06:23 -0700 (PDT) From: Mathias Clerc Date: Fri, 20 May 2011 11:06:23 +0900 Message-ID: Subject: SASL and full DN To: users@directory.apache.org Content-Type: text/plain; charset=ISO-8859-1 Hello, I have one question but as I am fairly new to LDAP as a whole it may be difficult for you to understand me. My users have the following structure : uid=user,ou=people,ou=division,o=company I have a user "user1" in "division1" and a user "user1" in "division2". Both users are different. When I do a simple login, I can login to whichever I want using the full DN uid=user1,ou=people,ou=division1,o=company or uid=user1,ou=people,ou=division2,o=company To make login easier for the users, I use the following algorythm (idea is from apache DS guide) : 1) login as a special account 2) run a search (&(objectclass=userClass)(uid=username)) with a root at o=company 3) try to connect to each user found, use the first succefull login as current login or send an error if it was not possible to log in with any account This works perfectly until I use SASL. When I connect wit SASL and a searchBaseDn set to o=company I can not give a full DN or a DN relative to the search base. I can log in by using "user1" id, but the following happens : uid:user1, password:the one for user1 in division1 : failure uid:user1, password:the one for user1 in division2 : success Is it possible to authenticate with SASL using full DN ? Or is it possible to have SASL+LDAP make a distinction between both account ? Or is it possible to have SASL+LDAP try each user found against the password (and not just try one returned randomly) ? Or is my setup broken ? Thank you