I have an application that supports LDAP as a means of authentication and authorization. I would like to have it use our OUD-based identity store. This is not an open system; I have no control over the client's behaviour, so any tweaking I do to make it work must be done on the server side.
If I just enter a username "firstname.lastname" (as is our convention), the application sends this string verbatim to OUD and fails.
[11/Mar/2014:14:49:34 -0400] CONNECT conn=67 from=xxx.xxx.xxx.xxx:44715 to=xxx.xxx.xxx.xxx:1636 protocol=LDAPS
[11/Mar/2014:14:49:34 -0400] BIND REQ conn=67 op=0 msgID=1 type=SIMPLE dn="firstname.lastname"
[11/Mar/2014:14:49:34 -0400] BIND RES conn=67 op=0 msgID=1 result=1 message="The provided value "firstname.lastname" could not be parsed as a valid distinguished name because it contained an RDN containing an empty attribute name" etime=23
This is predictable as the application is not smart enough to expand this username to something smart like "uid=firstname.lastname,ou=People,dc=example,dc=com". However, if I authenticate with this full qualified DN, authentication succeeds.
I don't don't expect my users to remember this ugly DN string. Is there anyway I can tweak the OUD side to accept these types of shortened aliases? Or am I verging on OVD territory here?
The application is capable of mapping it's internal authorization levels to LDAP groups. The problem here is that it uses searches for memberOf (AD) or groupMembership (Novell) attributes in order to ascertain group membership, rather than the conventional memberUid or ismemberOf.
[11/Mar/2014:14:49:59 -0400] SEARCH REQ conn=71 op=1 msgID=2 base="uid=firstname.lastname,ou=People,dc=example,dc=com" scope=baseObject filter="(objectclass=user)" attrs="memberOf,groupMembership"
[11/Mar/2014:14:49:59 -0400] SEARCH RES conn=71 op=1 msgID=2 result=0 nentries=0 etime=0
The result of course is that group membership is not properly found, and thus authorizations are not assigned.
I understand that I can create a virtual attribute, based on ismemberof, but called memberof, which should be able to add support for this query but I cannot find a working recipe to properly add this functionality.
Has anyone done anything like this before?
Running OUD 126.96.36.199.0