This discussion is archived
3 Replies Latest reply: Sep 13, 2013 5:19 AM by Sylvain Duloutre RSS

LDAP logins for end-users with short UIDs (not full DNs) - is it possible in DSEE?

JimKlimov Newbie
Currently Being Moderated


There are a number of LDAP services that DSEE can provide for authenticated end-users, such as a "Corporate address book" search integration in email clients. In order to authenticate, users must of course identify themselves - and this is the problem: DSEE seems to only accept full DN's (at least by default). These are on one hand a sort of implementation detail and maybe changed by directory admins (i.e. regroup accounts into different OU's), and on another - are, in a sufficiently complex enterprise structure, just a horridly long meaningless string, typing or copy-pasting of which is prone to human errors.

 

I have so far built a workaround - a new suffix with an OU=People entry which is in fact an LDAP referral to a "real" OU in the "real" suffix with entries. This shortens the login string considerably (and works at least for ldapsearch, and it was crucial that this new suffix is not part of commonly used namespace tree used as the base for all common searches), but this does not solve the problem of transparent user account movement between OUs (though I can define several OU shortcuts this way, which feels easier to manage already).

 

I guess something similar, but more advanced, to produce a short flat namespace of all UIDs, can be built with Directory Proxy Server - but IIRC it is licensed separately from DSEE (bundled with CommSuite)?

 

Is it possible to identify users by just "uid=user123" as long as UID Uniqueness is ensured by the server (for example with the so-named plugin enabled) and the request for such uid would return one-and-only-one resulting entry? Would it help to allow anonymous searches for UID attribute, so that email clients could construct a full DN for subsequent login "under the hood" (can they do this at all? are any clients known to do this?) What do other DSEE admins do in such cases?

 

Thanks for ideas,

//Jim

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points