Alex Karasulu wrote:
Jörg Henne wrote:
Hi all,
MS Active Directory supports the use at least two forms ob Bind-DNs,
which are not precisely DNs:
- domain\username
- [EMAIL PROTECTED]
The way DS is currently implemented, there is no way to let an
authenticator support principal names which are not in DN format,
because the DN format of the principal is enforced very early on in
the protocol handler.
The way clients usually authenticate users seems to be
- search for the user using either an anonymous bind or an
administrative user id
- use the retrieved DN to attempt a bind using the supplied credentials.
Allowing non-DN format bind DNs would have two benefits IMHO:
- let AD become more MSAD compatible
- allow for more efficient authentication by getting rid of the extra
search.
WDYT?
Interesting idea. As far as having to do a search we're still going
to have to lookup something to perform the authentication on bind.
Even if we're looking up the user on the native OS or in the server's
DIT we still have some kind of search in effect. Using native OS
authentication is a different matter in itself.
We could implement this kind of authentication name format by trying
to detect the syntax and then appropriately transforming the name into
a DN based on the domain to dn mapping in RFC 3088. See section 2.1
of [0] for a means to convert a DN to a domain name and vice versa.
This way principal [EMAIL PROTECTED] or apache.org\jhenne would be
transformed to uid=jhenne,dc=apache,dc=org before proceeding with the
bind operation.
How does this sound?
Alex
-----
[0] - http://www.apps.ietf.org/rfc/rfc3088.html
RFC 3062 [1] also relates to this topic in the context of non-DN user names.
--
Ersin
[1] http://tools.ietf.org/html/rfc3062
