[Fedora-directory-users] Binding using attribute other than C N

Richard Megginson rmeggins at redhat.com
Thu Jan 12 15:45:17 UTC 2006 

Richard Gibson wrote:

> My apologies - I put the wrong bind example in. Attempting to bind as 
> dn="ntUserDomainId=smithr,ou=People,dc=fedora,dc=test,dc=com" also fails.

Yes, because the DN of the entry is uid=RSmith,ou=People, 
dc=fedora,dc=test,dc=com not 
ntUserDomainId=smithr,ou=People,dc=fedora,dc=test,dc=com

> Richard, regarding the alternative search filter, is it possible to 
> perform a search where you match against a password?

What exactly are you trying to do?  When you perform an LDAP BIND 
operation, you pass the credentials (i.e. the password) to the directory 
server, and it does the password comparison.  LDAP BIND using other 
mechanism (SASL, TLS) allow you to pass credentials other than 
passwords.  The client should never attempt to read the password from 
the directory server and do the password comparison itself.

>
> I'm using this to currently perform a silent login after having binded 
> (is that a word?) was the directory admin.
> SRCH base="ou=People,dc=fedora,dc=test,dc=com" scope=2 
> filter="(&(objectClass=*)(ntUserDomainId=SmithR))" attrs="memberOf"

You don't need (objectclass=*) - it is redundant in this context.  You 
can just use filter="(ntUserDomainId=SmithR)"

Fedora DS does not support the memberOf attribute - you would have to 
add additional schema to support it.

>
> I imagine it would be fairly easy to extract the password too. Do you 
> think so? Would I use the userPassword field for this? Do you think 
> that this is what most directories will store the user's password in?
>
> Many thanks again
> Rich
>
> On 12/01/06, *Richard Megginson* <rmeggins at redhat.com 
> <mailto:rmeggins at redhat.com>> wrote:
>
>     I don't think this will work either.  The DN for the entry is
>     uid=RSmith,ou=People, dc=fedora,dc=test,dc=com - If you want to
>     bind as
>     this same user but with a different DN, you will have to rename the
>     entry to use ntUserDomainId=smithr as the RDN instead of
>     uid=RSmith.  If
>     AD allows you to request an entry by DN other than the actual DN
>     of the
>     entry, then it is non-standard LDAP behavior.
>
>     Of course, if your client program allows it (like PAM), you can use a
>     different search filter to look up your entry.  I think PAM by
>     default
>     uses (uid=%s) where %s is filled in with your login name.  I
>     suppose you
>     could change it to (ntUserDomainId=%s), then you should be able to use
>     your existing entry for PAM login without having to rename
>     it.  However,
>     if your client application expects ntUserDomainId=foo in the DN, then
>     you have no choice but to rename your entry.
>
>     Bowie Bailey wrote:
>
>     >Richard Gibson wrote:
>     >
>     >
>     >>Hello there.
>     >>
>     >>I've been using the Fedora Directory Server for very small scale
>     >>testing at work, but actually know rather little about LDAP
>     >>unfortunately. Hopefully you won't mind. Anyway, is it possible to
>     >>bind with an entry other than CN? I have the following user (LDIF
>     >>format):
>     >>
>     >>dn: uid=RSmith,ou=People, dc=fedora,dc=test,dc=com
>     >>mail: blablabla at test.com <mailto:blablabla at test.com>
>     >>uid: RSmith
>     >>givenName: Richard
>     >>objectClass: top
>     >>objectClass: person
>     >>objectClass: organizationalPerson
>     >>objectClass: inetorgperson
>     >>objectClass: ntuser
>     >>objectClass: posixAccount
>     >>sn: Smith
>     >>cn: RSmith
>     >>creatorsName:
>     >>uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
>     >>modifiersName:
>     >>uid=admin,ou=administrators,ou=topologymanagement,o=netscaperoot
>     >>createTimestamp: 20050905103419Z
>     >>modifyTimestamp: 20050916131603Z
>     >>nsUniqueId: 86b5b081-1dd211b2-806ddcd6-e1700000
>     >>ntUserDomainId: smithr
>     >>uidNumber: 1
>     >>gidNumber: 2
>     >>homeDirectory: /home/smithr
>     >>
>     >>
>     >>When attempting to bind using the following (as taken from the
>     access
>     >>log):
>     >>BIND dn="ntUserDomainId=Richard
>     Smith,ou=People,dc=fedora,dc=test,dc=com"
>     >>
>     >>
>     >method=128 version=3
>     >
>     >
>     >>...I get "No such object". This user does exist though. Is binding
>     >>using the ntUserDomainId out of the question?
>     >>
>     >>
>     >
>     >Take a closer look.  The ntUserDomainId is "smithr" for this
>     user, not
>     >"Richard Smith".
>     >
>     >Try this:
>     >dn="ntUserDomainId=smithr,ou=People,dc=fedora,dc=test,dc=com"
>     >
>     >Disclaimer: I'm an LDAP beginner myself.  This is just a suggestion
>     >based on the fact that your bind doesn't match the user
>     information you
>     >provided.
>     >
>     >
>     >
>
>
>     --
>     Fedora-directory-users mailing list
>     Fedora-directory-users at redhat.com
>     <mailto:Fedora-directory-users at redhat.com>
>     https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
>
>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users at redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3178 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20060112/9171b019/attachment.bin>

More information about the Fedora-directory-users mailing list