Hi all,
MS Active Directory supports the use at least two forms ob Bind-DNs,
which are not precisely DNs:
- domain\username
- [EMAIL PROTECTED]
The way DS is currently implemented, there is no way to let an
authenticator support principal names which are not in DN format,
because the DN format of the principal is enforced very early on in the
protocol handler.
The way clients usually authenticate users seems to be
- search for the user using either an anonymous bind or an
administrative user id
- use the retrieved DN to attempt a bind using the supplied credentials.
Allowing non-DN format bind DNs would have two benefits IMHO:
- let AD become more MSAD compatible
- allow for more efficient authentication by getting rid of the extra
search.
WDYT?
Joerg Henne
