Hello, I have one question but as I am fairly new to LDAP as a whole it may be difficult for you to understand me.
My users have the following structure : uid=user,ou=people,ou=division,o=company I have a user "user1" in "division1" and a user "user1" in "division2". Both users are different. When I do a simple login, I can login to whichever I want using the full DN uid=user1,ou=people,ou=division1,o=company or uid=user1,ou=people,ou=division2,o=company To make login easier for the users, I use the following algorythm (idea is from apache DS guide) : 1) login as a special account 2) run a search (&(objectclass=userClass)(uid=username)) with a root at o=company 3) try to connect to each user found, use the first succefull login as current login or send an error if it was not possible to log in with any account This works perfectly until I use SASL. When I connect wit SASL and a searchBaseDn set to o=company I can not give a full DN or a DN relative to the search base. I can log in by using "user1" id, but the following happens : uid:user1, password:the one for user1 in division1 : failure uid:user1, password:the one for user1 in division2 : success Is it possible to authenticate with SASL using full DN ? Or is it possible to have SASL+LDAP make a distinction between both account ? Or is it possible to have SASL+LDAP try each user found against the password (and not just try one returned randomly) ? Or is my setup broken ? Thank you
