Results 1 to 2 of 2

Thread: LDAP bind DN template

  1. #1
    Join Date
    Oct 2005
    Posts
    2
    Rep Power
    10

    Default LDAP bind DN template

    I can never find any good examples to put for the "LDAP bind DN template:" I am not exactly sure what to put there. Our college has the most basic LDAP setup for our sun boxes. Could you please give me some examples what to do there, and maybe put that in your documentation or maybe I just missed it. Thanks

  2. #2
    Join Date
    Aug 2005
    Posts
    228
    Rep Power
    10

    Default

    Sorry about that. I'll check and see if there are any docs on it.

    First off, we are moving away from the bind template, and moving to a more generic search filter approach. I'll explain the bind template first, then what we will have in the next release.

    The bind template is used to map a username into a DN that we can bind against in any external LDAP server to authenticate the username.

    For example, in our system, "joe@foobar.com" is stored in LDAP as:

    Code:
    uid=joe,ou=people,dc=foobar,dc=com
    If "joe@foobar.com" in *your* system maps to:

    Code:
    cn=joe,dc=foobar,dc=com
    then your bind template would then be:

    Code:
    cn=%u,dc=foobar,dc=com
    When a user tries to login, we take the username they type at the login prompt (or pass via the IMAP/POP protocol), apply the bind template, then take the resulting DN and password and attempt to bind in the external LDAP server.

    Hope that helps. Let me know if it is still unclear.

    The bind template works fine if there is a simple mapping from user's in our system to users in yours. But if you happen to store users in an org fashion instead, then a bind template falls short.

    For example, you might have:

    Code:
    email=joe@foobar.com,ou=eastcoast,ou=foo
    email=steve@foobar.com,ou=westcoast,ou=foo
    It isn't possible to define a simple template to handle both joe and steve, but if you define a simple search filter like:

    Code:
    (email=%u@foobar.com)
    then we'll do a search using that query, and use the DN from the result to auth against. Depending on your schema, you might want to make that a more complex search, like:

    Code:
    (&(email=%u@foobar.com)(objectclass=xxxxx))
    It is also crucial that the search filter only returns a single result. If there is a more then one DN that matches the filter, we'll log an error in the system log and return an auth failure.

    As I mentioned, the seach filter approach will be in the next release. The server and admin console have both already been updated.

    roland

Similar Threads

  1. Zimbra Install Problem - getDirectContext
    By bsimzer in forum Installation
    Replies: 27
    Last Post: 07-19-2007, 11:12 AM
  2. 3 testing: LDAP: 389 Failed when restore zimbra
    By victorLeong in forum Administrators
    Replies: 15
    Last Post: 05-24-2007, 07:45 AM
  3. External LDAP Problem
    By facerw in forum Installation
    Replies: 7
    Last Post: 05-08-2007, 05:29 AM
  4. Mac OSX install: Java errors & LDAP CA error
    By jefbear in forum Installation
    Replies: 9
    Last Post: 12-16-2006, 03:39 PM
  5. Replies: 4
    Last Post: 11-15-2006, 12:16 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •