Tolga YURDAKUL wrote:
Thank you for your quick answer.
I am new to LDAP protocol so I may have expressed the situation wrong.
But the only way I know the client gets the DN for a user is to bind as admin
and get the user DN from the server.
So I need the admin password at the client side.
My question is; how can I authenticate a user entering username and password at the client side to an Apache Directory Server without using admin password?
Granted that the user knows the DN to use, then this DN will be the
username. To be clear, it all depend on the way you organize your data
into the LDAP server (and it's not only Apache DS, but this is true for
any compliant LDAP server, which AD is not).
Typically, you store users in a ou=users, dc=acme, dc=com branch
(assuming your organization is 'acme'). For instance, if your user name
is tyurdakul (first letter of your firstname, concatenated with your
lastname), you will store it as :
cn=tyurdakul, ou=users, dc=acme, dc=com
and this is what you will use to bind on the server, in combinaison with
your password.
What Alex explained is that if you want to use only your username, then
you need a thin layer on top of the server which will do the translation
from tyurdakul to the associated DN (cn=tyurdakul, ou=users, dc=acme,
dc=com). Pretty easy to develop.
Hope it helps.
Tolga.
________________________________
Kimden: [EMAIL PROTECTED] bu kişinin yerine: Alex Karasulu
Gönderilmiş: Per 25.09.2008 17:05
Kime: [email protected]
Konu: Re: Automatic Authentication
Hi Tolga,
On Thu, Sep 25, 2008 at 9:04 AM, Tolga YURDAKUL <[EMAIL PROTECTED]>wrote:
Hi,
We are comparing automatic authentication procedures with Active Directory
and Apache Directory Server.
With Active Directory;
Automatic authentication is simple; you define a user with a "logonname"
and use this logonname and a password for the bind procedure, which ends up
successful if these two values match with the values stored in the server.
Note that Active Directory is a NOS directory. AD intrinsically has a means
to either automatically find or map domain\username to some user entry. I
guess this is what you mean by "Automatic Authentication".
This AD specific behavior is not part of the LDAP protocol. The protocol
requires a DN for the bind DN.
With Apache Directory Server;
You have to use the users full Distinguished Name (DN) and a password for
the bind procedure. since the user at the client machine cannot know his/her
DN during the logon procedure, he/she enters a username and a password. The
JNDI bind code at the client machine first authenticates as admininstrator
to the server, searches for the user entry using the username as a filter,
if the user exists the DN is drawn to the client and used in the bind
procedure with the password the user entered before.
This is a workaround we have to use for automatic authentication.
We could create an AD compatibility mode that can be toggled in the
configuration to allow ApacheDS to relax these protocol requirements: that
is to take a none DN of the bind principal. This however would require some
work on the protocol frontend and some other changes in the internals where
bind requests are handled.
To summarize we can support this but the man power right now is spread thin.
Is there a way to authenticate automatically to Apache Directory Server
directly with a logonname and a password just like it is with Active
Directory without having to use DN for authentication?
The short answer is no. But as you see above it's a no brainer to implement
this functionality.
Alev
Tolga.
######################################################################
Dikkat:
Bu elektronik posta mesaji kisisel ve ozeldir. Eger size
gonderilmediyse lutfen gondericiyi bilgilendirip mesaji siliniz.
Firmamiza gelen ve giden mesajlar virus taramasindan gecirilmekte,
guvenlik nedeni ile kontrol edilerek saklanmaktadir. Mesajdaki
gorusler ve bakis acisi gondericiye ait olup Aselsan A.S. resmi
gorusu olmak zorunda degildir.
######################################################################
Attention:
This e-mail message is privileged and confidential. If you are
not the intended recipient please delete the message and notify
the sender. E-mails to and from the company are monitored for
operational reasons and in accordance with lawful business practices.
Any views or opinions presented are solely those of the author and
do not necessarily represent the views of the company.
######################################################################
######################################################################
Dikkat:
Bu elektronik posta mesaji kisisel ve ozeldir. Eger size
gonderilmediyse lutfen gondericiyi bilgilendirip mesaji siliniz.
Firmamiza gelen ve giden mesajlar virus taramasindan gecirilmekte,
guvenlik nedeni ile kontrol edilerek saklanmaktadir. Mesajdaki
gorusler ve bakis acisi gondericiye ait olup Aselsan A.S. resmi
gorusu olmak zorunda degildir.
######################################################################
Attention:
This e-mail message is privileged and confidential. If you are
not the intended recipient please delete the message and notify
the sender. E-mails to and from the company are monitored for
operational reasons and in accordance with lawful business practices.
Any views or opinions presented are solely those of the author and
do not necessarily represent the views of the company.
######################################################################
--
--
cordialement, regards,
Emmanuel Lécharny
www.iktek.com
directory.apache.org
