I'm having trouble authenticating services using uid for authentication, which I thought was the standard method for authentication on the user. So basically, my users are added in ldap like this:
# jsmith, Users, example.com
dn: uid=jsmith,ou=Users,dc=example,dc=com
uidNumber: 10003
loginShell: /bin/bash
sn: Smith
mail: jsmith@example.com
homeDirectory: /home/jsmith
displayName: John Smith
givenName: John
uid: jsmith
gecos: John Smith
gidNumber: 10000
cn: John Smith
title: System Administrator
But when I try to authenticate using typical webapps or services like this:
jsmith
password
I get:
ldapsearch -x -h ldap.example.com -D "cn=jsmith,ou=Users,dc=example,dc=com" -W -b "dc=example,dc=com"
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
But if I use:
ldapsearch -x -h ldap.example.com -D "uid=jsmith,ou=Users,dc=example,dc=com" -W -b "dc=example,dc=com"
It works.
HOWEVER…most webapps and authentication methods seem to use another method. So on a webapp I'm using, unless I specify the user as: uid=smith,ou=users,dc=example,dc=com
Nothing works.
In the webapp I just need users to put: jsmith in the user field.
Keep in mind my ldap is using the "new" cn=config
method of storing settings. So if someone has an obvious ldif I'm missing please provide.
Let me know if you need further info. This is OpenLDAP on Ubuntu 12.04.
Best Answer
The
ldapsearch
tool in your example uses simple BIND to change the authorization state of the connection. The simple BIND operation requires the distinguished name and credentials. The distinguished name isuid=jsmith,ou=Users,dc=example,dc=com
, notcn=jsmith,ou=Users,dc=example,dc=com
in the entry given as example.This directory server configuration causes the server to return the result code for
invalid credentials
when actually the distinguished namecn=jsmith,ou=Users,dc=example,dc=com
doe not exist. This is the recommended configuration: it provides less information to an attacker.