Re: Re LDAP help

I did some more reading today and it seems that the DN or RDN is what
you need to authenticate. In your case you have to put in the ID number.

There may be "attributes" associated with the ID number (DN) but that's
just extra information. If the user name is an "attribute" you can't use
it to login.

There are two ways you can make this work.

1. Give each user their ID number
2. Add the users to the directory - cn=jon smith,dn=acme,dn=com

The first option should work but it's not an ideal solution. Option 2 is
the best option but you have to add this information to the server.

I'm not really sure how you would implement option 2. You might be able
to create a new "organizational unit" and add users to it. That would
give each user a DN.

I'm still trying to get my LDAP server working. I'll post some info as
soon as I get it working.

On Mon, 2005-03-21 at 16:18 -0900, Joshua Kugler wrote:
> Well, not really. I don't have an LDAP server set up, because that's the
> University's server. I am using pam_ldap to try to authenticate from that,
> but to directly auth against that, I'd need to avhe the user enter their
> really ugly DN. Not what I want to do at this point.
>
> j----- k-----
>
> On Monday 21 March 2005 12:06, damien hull wrote:
> > Is this OpenLDAP?
> >
> > If it is it sounds like you have something configured wrong. I'm trying
> > to learn OpenLDAP and from what I've read the DN should be the username
> > followed by the root DN.
> >
> > Example root DN: dn=acme,dn=com
> >
> > Example DN: cn=jason,dn=acme,dn=com
> >
> > If you configure things write you can use a relative DN (RDN).
> >
> > Example: cn=jason
> >
> > I'm not sure how to set this up. I can get OpenLDAP running but I can't
> > log on. The only user I have is the admin account. If I connect
> > anonymously it works fine. This allows me to brows and search the
> > directory but I can't change anything. The directory is read only.
> >
> > I should mention that I'm trying to setup an address book in LDAP. I'm
> > saving user authentication for later.
> >
> > On Mon, 2005-03-21 at 09:11 -0900, Joshua Kugler wrote:
> > > Hello all -
> > >
> > > I have a server on which I would like to athenticate users via our
> >
> > enterprise
> >
> > > LDAP server. This is probably a matter of being pointed to the right
> >
> > docs,
> >
> > > but initial googling hasn't gotten me anywhere.
> > >
> > > My situation is probably a bit different than most in that we need to
> >
> > do a
> >
> > > "two phase" bind.
> > >
> > > All users in the directory have a unique ID. Mine is 1PDH3JZL01.
> > > Understandably, users don't want to type this in every time they
> >
> > login, and
> >
> > > most don't even know theirs since it's an internal ID used to keep
> >
> > things
> >
> > > unique. Thus, the user when enter another piece of unique
> >
> > information, such
> >
> > > their e-mail address, corporation username, or user ID which is an
> >
> > eight digit
> >
> > > number. None of these are the DN, only "1PDH3JZL01" (in my case) is
> >
> > the DN.
> >
> > > Well, what has to happen is this:
> > >
> > > Enter coporation username
> > > Anonymous bind to lookup dn (distinguishing name) from LDAP server
> > > Bind a second time with the found dn as well as the supplied password
> > > If second bind succeeds, the user is authenticated. If not, login
> >
> > fails.
> >
> > > It seems, though that pam_ldap only wants to do a single phase bind,
> >
> > thus I'm
> >
> > > stuck.
> > >
> > > Also, there is are pam_login_* directives in /etc/ldap.conf, but I
> >
> > can't seem
> >
> > > to find any man pages or other docs (/usr/share/doc/pam_ldap-170
> >
> > doesn't have
> >
> > > anything), and I can't find the relevant docs on
> > > http://www.padl.com/OSS/pam_ldap.html .
> > >
> > > Does anyone have any tips or pointers?
> > >
> > > Thanks!
> > >
> > > j----- k-----
> >
> > ---------
> > To unsubscribe, send email to <aklug-request@aklug.org>
> > with 'unsubscribe' in the message body.
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon Mar 21 17:21:52 2005