Ldap – Change DN in OpenLDAP “on the fly”

ldapopenldap

I'm a newbie in LDAP and I have the following issue:

I use OpenLDAP as a caching proxy for remote Active Directory.

And the full DN of a user is like "cn=Doe\, John,ou=users,ou=others,dc=company,dc=com", while the uid (sAMAccountName) is the short form of first and second name. For example John Doe will be jdoe.

I already have SVN server, Bugzilla and ReviewBoard working fine with this because they have many setting for LDAP support. But now I'm trying to set up the YouTrack and there is a lack of LDAP settings in it.

I want to be able to log in the YouTrack using the short form login (like "jdoe"), but when I set the transform string in YouTrack as "sAMAccountName=$login$,ou=users,ou=others,dc=company,dc=com" I have the following error all the time:

[LDAP: error code 49 – 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e, v1db1]
which is “invalid credentials”.

But if I specify the full name explicitly in the transform string I can log in (but no one else of course):

"cn=Doe\, John,ou=users,ou=others,dc=company,dc=com"

So, my question is:
Can I modify the DN of a user "on the fly" in order to have something like this for example:

"cn=jdoe,ou=users,ou=others,dc=company,dc=com"

?

Best Answer

Even though this question might be a little old, I've come up with a few thoughts on this. Maybe it will help somebody in the future:

  1. You could simply modify the DN by using ldapmodify with changetype: moddn or modrdn providing the new DN (newrdn). More information on this can be found in bulletpoint number 4 in here: http://www.zytrax.com/books/ldap/ch8/#changetype
  2. You could use the "rwm" overlay in OpenLDAP. This lets you either rewrite your DN, massage the suffix or even provide a virtual view on your data. Check man 5 slapo-rwm. This thing is really powerfull!
  3. Another way would be to set up an alias for the initial entry. cn=jdoe,ou=users,ou=others,dc=company,dc=com could be of object class "alias" and have your initial account written in the attribute aliasedObjectName. All you would need to do in this case would be to check, whether the ldapsearch operation follows referrals or not.

On my server I have a similar setup and chose the 3rd way. To have it completely clean, I created my own schema where I have a dedicated alias object class for this which provides the necessary additional fields.

Related Topic