Alex Karasulu schrieb:
Jörg Henne wrote:
Alex Karasulu schrieb:
Interesting idea. As far as having to do a search we're still going
to have to lookup something to perform the authentication on bind.
Even if we're looking up the user on the native OS or in the
server's DIT we still have some kind of search in effect. Using
native OS authentication is a different matter in itself.
We could implement this kind of authentication name format by trying
to detect the syntax and then appropriately transforming the name
into a DN based on the domain to dn mapping in RFC 3088. See
section 2.1 of [0] for a means to convert a DN to a domain name and
vice versa.
This way principal [EMAIL PROTECTED] or apache.org\jhenne would be
transformed to uid=jhenne,dc=apache,dc=org before proceeding with
the bind operation.
How does this sound?
that's roughly what I am thinking of. However, a simple mapping is
mist likely not enough, since there may not be a 1:1 mapping from the
specified name to the DN to bind with (e.g. users spread over several
OUs may well share the same domain).
You mean the principal's entry may be in some place in the directory
which does not follow the domain to DN mapping I guess. Like ...
[EMAIL PROTECTED] really being in uid=jhenne,ou=users,dc=apache,dc=org
Yes, yes, this is a reasonable conclusion.
Yup, excactly. That's the way out MSADS is set up.
Joerg Henne
