LDAP help (Was Re: Late night LDAP)

From: Joshua Kugler <joshua.kugler@uaf.edu>
Date: Mon Mar 21 2005 - 09:11:55 AKST

Hello all -

I have a server on which I would like to athenticate users via our enterprise
LDAP server. This is probably a matter of being pointed to the right docs,
but initial googling hasn't gotten me anywhere.

My situation is probably a bit different than most in that we need to do a
"two phase" bind.

All users in the directory have a unique ID. Mine is 1PDH3JZL01.
Understandably, users don't want to type this in every time they login, and
most don't even know theirs since it's an internal ID used to keep things
unique. Thus, the user when enter another piece of unique information, such
their e-mail address, corporation username, or user ID which is an eight digit
number. None of these are the DN, only "1PDH3JZL01" (in my case) is the DN.

Well, what has to happen is this:

Enter coporation username
Anonymous bind to lookup dn (distinguishing name) from LDAP server
Bind a second time with the found dn as well as the supplied password
If second bind succeeds, the user is authenticated. If not, login fails.

It seems, though that pam_ldap only wants to do a single phase bind, thus I'm
stuck.

Also, there is are pam_login_* directives in /etc/ldap.conf, but I can't seem
to find any man pages or other docs (/usr/share/doc/pam_ldap-170 doesn't have
anything), and I can't find the relevant docs on
http://www.padl.com/OSS/pam_ldap.html .

Does anyone have any tips or pointers?

Thanks!

j----- k-----

-- 
Joshua Kugler
CDE System Administrator
http://distance.uaf.edu/
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon Mar 21 09:12:02 2005

This archive was generated by hypermail 2.1.8 : Mon Mar 21 2005 - 09:12:03 AKST