When using a pattern the uid value or whatever that people enter is
substituted into the pattern to generate the dn - users are not expected to
enter the full dn. Search is needed however when the attribute whose value
is entered by the user is not a component of the dn, or when users are held
in the directory under more than one node.
I agree that when a directory is used for authentication it is usually safe
to assume that the entered value is a unique identifier for an entry. An
exception might arise though when users are held under multiple nodes -
e.g. people are held under organisational units, and some people are
employed by more than one unit.
At 04:48 17/05/01, Martin Smith wrote:
>My use of search then bind is searching for a non-DN "user ID" (like UID or
>mail, which is presumably unique) then binding witht he retrieved DN and
>password. Can you imagine making people type in X.500-style user names????
>
>Martin
>Torgeir Veimo wrote:
>
> > John Holman wrote:
> > >
> > > As said before I'd like to add the ability to search the directory
> for the
> > > user's dn to cover cases when a fixed pattern will not work, but will
> wait
> > > to see the fate of this patch before going ahead.
> >
> > Regarding the "search, then bind" authentication; what would be the
> > suggested behaviour when there are more than one returned dn from the
> > search? Should one try to authenticate as each of these, or
> > automatically assume not authenticated?
> >
> > --
> > - Torgeir
