I am using OpenLDAP (slapd 2.4.18). I can bind to it using Kerberos. That works great. I can also bind to it using a simple bind (either by directly storing the password in the userPassword attribute, or by putting {SASL}username in the userPassword attribute.
Let's pretend I want to do a simple bind, but I don't want to have to have my bind DN as "uid=someuser,ou=whatever,dc=example,dc=com". Imagine me telling someone to type that into an iPhone or something. Instead, I am wondering if there is a native way with OpenLDAP to have someone bind with "username" and then the server "rewrites" the DN to uid=username,ou=whatever,dc=example,dc=com for them before authenticating.
It'd be best if I could match a regular expression. That way, if I actually DO try to bind with cn=manager,dc=example,dc=com it won't try and rewrite that. I could specify that only a bind without commas and equal signs would get rewritten.
Perhaps some pointers that I've found, but haven't found a lot of documentation for:
olcAuthIDRewrite (which seems like it would correlate to authid-rewrite).
There is olcAuthzRegexp, but that is for the other direction -- if they have authenticated with SASL then what should their DN become? I'm looking for rewriting a simple bind.
It is possible that this functionality doesn't even exist. If that's the case, then could you at least explain what olcAuthIDRewrite is for?
|
