I'm trying to connect to an LDAP server running slapd, using the net_ldap ruby gem. I'm able to perform the bind action using the cn of the user, but I need to use the uid.
The LDAP server was created by ClearOS and is otherwise untouched, standard configuration.
Here's my ruby code:
Net::LDAP.new(
{
host: "10.1.1.3",
port: 389,
base: "dc=company,dc=lan",
auth: {
method: :simple,
username: 'cn=Andrew Faraday,ou=Users,ou=Accounts,dc=company,dc=lan',
password: "secret"
}
}
).bind
That works fine, but what I really want to do is log in using the uid rather than the cn, e.g.
username: 'uid=ajfaraday,ou=Users,ou=Accounts,dc=company,dc=lan',
Here's the result of a successful ldap search (fairly heavily redacted):
dn: cn=Andrew Faraday,ou=Users,ou=Accounts,dc=edge,dc=lan
uidNumber: 2004
gidNumber: 63000
homeDirectory: /home/ajfaraday
clearAccountStatus: enabled
sambaAcctFlags: [U ]
sambaDomainName: company
sambaBadPasswordCount: 0
sambaBadPasswordTime: 0
uid: ajfaraday
givenName: Andrew
sn: Faraday
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: clearAccount
objectClass: sambaSamAccount
cn: Andrew Faraday
loginShell: /bin/bash
I've spent a few days digging through slap config files, manuals and old (like, over a decade old) questions on this and I'm coming up blank. I've tried variants on all of these things:
- Define a rule to build the dn differently for each user.
- Allow authorisation rights on the uid attribute.
- Set up an authz-regexp or sasl-regexp to convert input to a search string looking for uid.
None of these appear to have the desired effect. The regexp attributes appear to do nothing at all.
Best Answer
In
LDAP
there are two ways to authenticate: the simple mechanism andSASL
.The simple mechanism you are using requires you to bind against an exact Distinguished Name. So if you want to use your username instead of your fullname you have to change the
DN
, by using the followingLDIF
instructions:However the
SASL
mechanisms are more flexible and you can map any login to anLDAP
entry. You can also perform anLDAP
search to find yourDN
. E.g., if you add the rewrite rules:you can locally authenticate to
LDAP
through the Unix socket:Remark: You need to restart the server after changing the
olcAuthzRegexp
attribute for it to be taken into account.