Thus spake Howard Chu ([EMAIL PROTECTED]):
Brian Elliott Finley wrote:
I have a corporate white pages directory [using OpenLDAP] which requires
authentication. My desire is that users, when configuring their ldap
clients, will only need to put in their username and password, but I
have not yet found a way to do this.
Here are some details that might help:
* Desired binding DN for a user: "username"
* Current binding DN for a user: "uid=username,dc=example,dc=com"
The directory is perfectly flat.
The only standards-compliant way to Bind with a simple username is using
SASL Binds.
Since you're using Kerberos anyway, SASL/GSSAPI is the logical choice.
Here are some additional OpenLDAP specifics with regard to my current
authentication setup:
* Passwords are backended by kerberos
* Users may not have a ticket prior to binding, so cn=gssapi,cn=auth
is not feasible.
Then there is no simple solution. Write wrappers for your clients that
check to make sure a TGT exists before binding, doing the appropriate
initial authentication step if not.
Bummer. Wrappers will not be feasible in this case, as the clients may
vary far and wide. Some may not even be configured to use kerberos.
* userPassword is set to "[EMAIL PROTECTED]"
You probably mean {SASL} as there is no {GSSAPI} password mechanism in
OpenLDAP.
Yes. You are correct. And to be perfectly clear for archival purposes,
I have userPassword set to "[EMAIL PROTECTED]".
Thanks,
-Brian
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/
--
Brian Elliott Finley
Mobile: 630.631.6621
