alancota1 Absent Member.
Absent Member.
468 views

LDAP Authentication over custom attribute instead CN


Hi guys.

Could I use a new custom attribute (any of them) to authenticate user
agains Novell eDirectory using LDAP, instead using default CN naming
attribute to bind? If I could, how hard to implement will be?

I've been searching for this information based on Novell User
Application (IDM portal) authentication where you can define other
attribute to authenticate users, instead CN. I beleave the User
Application uses that informed attribute to query LDAP and get the CN
and use then to really authenticate the user. Perhaps... I gotta to
figure out that issue.

Thank you all help here.

My best regards,


--
*:cool: Alan Cota | Brazil.
CNE | ISM & Security Specialist.
'http://www.alancota.biz' (http://www.alancota.net)*
------------------------------------------------------------------------
AlanCota's Profile: http://forums.novell.com/member.php?userid=1961
View this thread: http://forums.novell.com/showthread.php?t=451042

Labels (1)
0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: LDAP Authentication over custom attribute instead CN

On Thu, 19 Jan 2012 13:46:01 +0000, AlanCota wrote:

> Could I use a new custom attribute (any of them) to authenticate user
> agains Novell eDirectory using LDAP, instead using default CN naming
> attribute to bind? If I could, how hard to implement will be?


LDAP authentication requires a DN, and a password. The DN can be built
from CN or UID naming, it doesn't matter. You can use any attribute you
want the user to supply to get the DN, though.

The usual algorthym for LDAP goes something like:

1. Prompt user for something (cn, mail, etc.) known to them.
2. Prompt user for password.
3. Anonymous bind to LDAP.
4. Search using a filter of (cn=bob) or (mail=pres@whitehouse.com) etc.
5. LDAP returns the matching DN (or DNs) of the objects found.
6. Unbind.
7. Assuming only one DN is returned, use that and the provided password.
8. Bind (authenticated) to LDAP.
9. If success, user is "logged in".
10. Optionally - do other LDAP operations here.
11. Unbind.

Be careful that if no DNs are returned that you don't then bind with no
user DN specified in #8. That's an anonymous bind.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
alancota1 Absent Member.
Absent Member.

Re: LDAP Authentication over custom attribute instead CN


Thank you David!

Could I use an authenticated and recognized user DN (like service user
account to bind other users) to bind and auths the user that is trying
to gain access to my system? Am I right?
The idea is to have just only one DN for each user. I got it, I think.

Thank you, again.


--
*:cool: Alan Cota | Brazil.
CNE | ISM & Security Specialist.
'http://www.alancota.biz' (http://www.alancota.net)*
------------------------------------------------------------------------
AlanCota's Profile: http://forums.novell.com/member.php?userid=1961
View this thread: http://forums.novell.com/showthread.php?t=451042

0 Likes
Knowledge Partner
Knowledge Partner

Re: LDAP Authentication over custom attribute instead CN

On Thu, 19 Jan 2012 14:56:02 +0000, AlanCota wrote:

> Could I use an authenticated and recognized user DN (like service user
> account to bind other users) to bind and auths the user that is trying
> to gain access to my system?


Only one bind at a time. You can use a service account in place of the
anonymous bind step, if you prefer. But then that service account unbinds
and the user (DN) binds.


> Am I right? The idea is to have just only
> one DN for each user. I got it, I think.


A user, by definition, only has one DN. The problem is that your search
filter has to be good enough so that it only finds one DN. So you could
have three users called Bob:

dn: cn=Bob,ou=Foo,o=Com
dn: cn=Bob,ou=Bar,o=Com
dn: cn=Bob,ou=Baz,o=Com

If you search with filter (cn=bob), you'll get back all three DNs. But if
each of these has a unique attribute, like mail:

dn: cn=Bob,ou=Foo,o=Com
mail: bob@foo.com

dn: cn=Bob,ou=Bar,o=Com
mail: bob@bar.com

dn: cn=Bob,ou=Baz,o=Com
mail: bob@baz.com

and you search for (mail=bob@bar.com), you only get back one DN.


--
--------------------------------------------------------------------------
David Gersic dgersic_@_niu.edu
Knowledge Partner http://forums.novell.com

Please post questions in the forums. No support provided via email.

0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: LDAP Authentication over custom attribute instead CN

David Gersic wrote:

> Only one bind at a time. You can use a service account in place of the
> anonymous bind step, if you prefer. But then that service account unbinds
> and the user (DN) binds.


Some apps always bind with a service account (which needs to be more privileged
in that case) and just let LDAP compare the user provided password against the
value of the password attribute instead of actually doing a user bind. Does not
trigger intruder lockouts nor use up grace logins. It's an auth option e.g. in
PWM.

--

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.