Brian Elliott Finley wrote:
I have a corporate white pages directory [using OpenLDAP] which requires
authentication. My desire is that users, when configuring their ldap
clients, will only need to put in their username and password, but I
have not yet found a way to do this.
Here are some details that might help:
* Desired binding DN for a user: "username"
* Current binding DN for a user: "uid=username,dc=example,dc=com"
The directory is perfectly flat.
The only standards-compliant way to Bind with a simple username is using
SASL Binds.
Since you're using Kerberos anyway, SASL/GSSAPI is the logical choice.
Here are some additional OpenLDAP specifics with regard to my current
authentication setup:
* Passwords are backended by kerberos
* Users may not have a ticket prior to binding, so cn=gssapi,cn=auth
is not feasible.
Then there is no simple solution. Write wrappers for your clients that
check to make sure a TGT exists before binding, doing the appropriate
initial authentication step if not.
* userPassword is set to "[EMAIL PROTECTED]"
You probably mean {SASL} as there is no {GSSAPI} password mechanism in
OpenLDAP.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
