Richard Gibson
2006-Jan-12 12:36 UTC
[Fedora-directory-users] Binding using attribute other than CN
Hello there. I''ve been using the Fedora Directory Server for very small scale testing at work, but actually know rather little about LDAP unfortunately. Hopefully you won''t mind. Anyway, is it possible to bind with an entry other than CN? I have the following user (LDIF format): dn: uid=RSmith,ou=People, dc=fedora,dc=test,dc=com mail: blablabla@test.com uid: RSmith givenName: Richard objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: ntuser objectClass: posixAccount sn: Smith cn: RSmith creatorsName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot modifiersName: uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot createTimestamp: 20050905103419Z modifyTimestamp: 20050916131603Z nsUniqueId: 86b5b081-1dd211b2-806ddcd6-e1700000 ntUserDomainId: smithr uidNumber: 1 gidNumber: 2 homeDirectory: /home/smithr When attempting to bind using the following (as taken from the access log): BIND dn="ntUserDomainId=Richard Smith,ou=People,dc=fedora,dc=test,dc=com" method=128 version=3 ...I get "No such object". This user does exist though. Is binding using the ntUserDomainId out of the question? I notice from the following discussion that the same sort of thing is possible in Active Directory, although I have not tried it myself: http://groups.google.co.uk/group/microsoft.public.adsi.general/browse_thread/thread/b5fc22bfdd9079fe/f1caf3c9cf6c8188?lnk=st&q=ldap+bind+only+via+CN%3F&rnum=1&hl=en#f1caf3c9cf6c8188 Any pointers would be greatly appreciated. Thanks Rich
Pete Rowley
2006-Jan-12 19:28 UTC
Re: [Fedora-directory-users] Binding using attribute other than CN
Richard Gibson wrote:> When attempting to bind using the following (as taken from the access > log): > BIND dn="ntUserDomainId=Richard > Smith,ou=People,dc=fedora,dc=test,dc=com" method=128 version=3 > > ...I get "No such object". This user does exist though. Is binding > using the ntUserDomainId out of the question? >When you bind you are not binding with an attribute, you specify the whole dn of the entry to bind with (and there is only one DN per entry) - that is the protocol specification for simple bind. Usually a client will allow "login" by requesting a username or some such and then searching the directory for that value in one or more attributes that it is configured or coded for, retrieving the dn of the entry returned and then binding with that. So end users need never see a DN in the normal course of events (and in fact DNs are not /supposed/ to be seen by end users).> I notice from the following discussion that the same sort of thing is > possible in Active Directory, although I have not tried it myself: > http://groups.google.co.uk/group/microsoft.public.adsi.general/browse_thread/thread/b5fc22bfdd9079fe/f1caf3c9cf6c8188?lnk=st&q=ldap+bind+only+via+CN%3F&rnum=1&hl=en#f1caf3c9cf6c8188 > <http://groups.google.co.uk/group/microsoft.public.adsi.general/browse_thread/thread/b5fc22bfdd9079fe/f1caf3c9cf6c8188?lnk=st&q=ldap+bind+only+via+CN%3F&rnum=1&hl=en#f1caf3c9cf6c8188>Specifically, no, this mechanism is not supported. We support SASL, but not SPNEGO. We definitely do not support bind based on attribute value where the protocol documents say a DN should be. -- Pete