When adding a new user under the dc=example,dc=com
using Apache Directory Studio, I have this tree structure:
dc=example,dc=com
|-- ou = engineering
|-- cn = Lawrence K.H Loh+o=IKEA+sn=Loh+uid=lawrence+displayName=Lawrence
Below is the attribute list for the cn
.
- objectClass = inetOrgPerson
- objectClass = organizationalPerson
- objectClass = person
- objectClass = top
- cn = Lawrence K.H Loh
- sn = Loh
- displayName = Lawrence
- o = IKEA
- uid = lawrence
- userPassword = SSHA hashed password
There is this error LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: Attempt to lookup non-existant entry
when I connect this entry through uid=lawrence,ou=engineering,dc=example,dc=com
. But it is working fine if I'm using this cn=Lawrence K.H Loh+o=IKEA+sn=Loh+uid=lawrence+displayName=Lawrence,ou=engineering,dc=example,dc=com
. May I know how can I switch to uid=lawrence
instead of the long name for authentication?
Best Answer
With that particular object, it's unlikely that you can. LDAP is looking for you to bind with the distinguished name (DN) of the object, and the primary attribute in this case is
cn
. This is a deliberate design decision because there is no guarantee that any given attribute of objects within a container will be unique other than the one that is associated with their DN.This will not stop services from being able to search your directory and determine that
uid=lawrence
is associated with that particular DN (and thus being able to find any other attributes needed off of that object), but any calls that explicitly need to be run against a DN can only be run against the primary attribute.This isn't to say that there aren't ways that you can avoid specifying a DN. Implementing SASL authentication and defining a map between SASL IDs and DNs comes to mind. But within the context of your question, no, you cannot switch to using a non-primary attribute of the DN you're authenticating to in place of the DN.