AFAIK using full DN won't work for SASL it requires just the RDN value (i.e username/userid)
On Fri, May 20, 2011 at 7:36 AM, Mathias Clerc <[email protected]> wrote: > Hello, > > I have one question but as I am fairly new to LDAP as a whole it may > be difficult for you to understand me. > > My users have the following structure : > uid=user,ou=people,ou=division,o=company > > I have a user "user1" in "division1" and a user "user1" in > "division2". Both users are different. > > When I do a simple login, I can login to whichever I want using the > full DN uid=user1,ou=people,ou=division1,o=company or > uid=user1,ou=people,ou=division2,o=company > > To make login easier for the users, I use the following algorythm > (idea is from apache DS guide) : > 1) login as a special account > 2) run a search (&(objectclass=userClass)(uid=username)) with a root > at o=company > 3) try to connect to each user found, use the first succefull login as > current login or send an error if it was not possible to log in with > any account > > This works perfectly until I use SASL. When I connect wit SASL and a > searchBaseDn set to o=company I can not give a full DN or a DN > relative to the search base. > I can log in by using "user1" id, but the following happens : > uid:user1, password:the one for user1 in division1 : failure > uid:user1, password:the one for user1 in division2 : success > > Is it possible to authenticate with SASL using full DN ? > Or is it possible to have SASL+LDAP make a distinction between both account ? > Or is it possible to have SASL+LDAP try each user found against the > password (and not just try one returned randomly) ? > Or is my setup broken ? > > Thank you > -- Kiran Ayyagari
