SASL and full DN

[Mathias Clerc <tl...@gmail.com>]

Hello,

I have one question but as I am fairly new to LDAP as a whole it may
be difficult for you to understand me.

My users have the following structure :
uid=user,ou=people,ou=division,o=company

I have a user "user1" in "division1" and a user "user1" in
"division2". Both users are different.

When I do a simple login, I can login to whichever I want using the
full DN uid=user1,ou=people,ou=division1,o=company or
uid=user1,ou=people,ou=division2,o=company

To make login easier for the users, I use the following algorythm
(idea is from apache DS guide) :
1) login as a special account
2) run a search (&(objectclass=userClass)(uid=username)) with a root
at o=company
3) try to connect to each user found, use the first succefull login as
current login or send an error if it was not possible to log in with
any account

This works perfectly until I use SASL. When I connect wit SASL and a
searchBaseDn set to o=company I can not give a full DN or a DN
relative to the search base.
I can log in by using "user1" id, but the following happens :
uid:user1, password:the one for user1 in division1 : failure
uid:user1, password:the one for user1 in division2 : success

Is it possible to authenticate with SASL using full DN ?
Or is it possible to have SASL+LDAP make a distinction between both account ?
Or is it possible to have SASL+LDAP try each user found against the
password (and not just try one returned randomly) ?
Or is my setup broken ?

Thank you

Re: SASL and full DN

[Jim Willeke <ji...@willeke.com>]

Most LDAP implementations use only the RND or the uid value.
Looks like:
http://directory.apache.org/apacheds/1.5/21-sasl-authentication-to-apacheds.html
Username is matched to 'uid' under a base DN depending on the SASL
mechanism being used.

-jim
Jim Willeke


On Sat, May 21, 2011 at 3:03 AM, Kiran Ayyagari <ka...@apache.org> wrote:
>
> AFAIK using full DN won't work for SASL it requires just the RDN value
> (i.e username/userid)
>
> On Fri, May 20, 2011 at 7:36 AM, Mathias Clerc <tl...@gmail.com> wrote:
> > Hello,
> >
> > I have one question but as I am fairly new to LDAP as a whole it may
> > be difficult for you to understand me.
> >
> > My users have the following structure :
> > uid=user,ou=people,ou=division,o=company
> >
> > I have a user "user1" in "division1" and a user "user1" in
> > "division2". Both users are different.
> >
> > When I do a simple login, I can login to whichever I want using the
> > full DN uid=user1,ou=people,ou=division1,o=company or
> > uid=user1,ou=people,ou=division2,o=company
> >
> > To make login easier for the users, I use the following algorythm
> > (idea is from apache DS guide) :
> > 1) login as a special account
> > 2) run a search (&(objectclass=userClass)(uid=username)) with a root
> > at o=company
> > 3) try to connect to each user found, use the first succefull login as
> > current login or send an error if it was not possible to log in with
> > any account
> >
> > This works perfectly until I use SASL. When I connect wit SASL and a
> > searchBaseDn set to o=company I can not give a full DN or a DN
> > relative to the search base.
> > I can log in by using "user1" id, but the following happens :
> > uid:user1, password:the one for user1 in division1 : failure
> > uid:user1, password:the one for user1 in division2 : success
> >
> > Is it possible to authenticate with SASL using full DN ?
> > Or is it possible to have SASL+LDAP make a distinction between both account ?
> > Or is it possible to have SASL+LDAP try each user found against the
> > password (and not just try one returned randomly) ?
> > Or is my setup broken ?
> >
> > Thank you
> >
>
>
>
> --
> Kiran Ayyagari

Re: SASL and full DN

[Kiran Ayyagari <ka...@apache.org>]

AFAIK using full DN won't work for SASL it requires just the RDN value
(i.e username/userid)

On Fri, May 20, 2011 at 7:36 AM, Mathias Clerc <tl...@gmail.com> wrote:
> Hello,
>
> I have one question but as I am fairly new to LDAP as a whole it may
> be difficult for you to understand me.
>
> My users have the following structure :
> uid=user,ou=people,ou=division,o=company
>
> I have a user "user1" in "division1" and a user "user1" in
> "division2". Both users are different.
>
> When I do a simple login, I can login to whichever I want using the
> full DN uid=user1,ou=people,ou=division1,o=company or
> uid=user1,ou=people,ou=division2,o=company
>
> To make login easier for the users, I use the following algorythm
> (idea is from apache DS guide) :
> 1) login as a special account
> 2) run a search (&(objectclass=userClass)(uid=username)) with a root
> at o=company
> 3) try to connect to each user found, use the first succefull login as
> current login or send an error if it was not possible to log in with
> any account
>
> This works perfectly until I use SASL. When I connect wit SASL and a
> searchBaseDn set to o=company I can not give a full DN or a DN
> relative to the search base.
> I can log in by using "user1" id, but the following happens :
> uid:user1, password:the one for user1 in division1 : failure
> uid:user1, password:the one for user1 in division2 : success
>
> Is it possible to authenticate with SASL using full DN ?
> Or is it possible to have SASL+LDAP make a distinction between both account ?
> Or is it possible to have SASL+LDAP try each user found against the
> password (and not just try one returned randomly) ?
> Or is my setup broken ?
>
> Thank you
>



-- 
Kiran Ayyagari