On Mon, Aug 3, 2009 at 2:57 PM, Bruno S.[email protected] wrote:
Is it a library limitation? Or it really should work like this?
I imagined it should work as when you log in windows computers:
username, passwod and Domain. No need for OUs
You could provide your own function to search the tree based
on username to get the DN and then use that to bind.
But then either your directory would need to allow an anonymous
connection search rights or you would need a service account
for the script to use. You would also need to consider the
possibility of duplicate usernames with different DNs (this is
less of an issue in Active Directory since AD is in some ways
still a flat domain with a simulated hierarchy bolted on).
A production implementation would probably want to cache rather
than run an extra search for every authentication request.
Alternatively, you could attempt to authenticate the user in all
possible OUs until one works or all have failed.
Or finally, you can use UPNs if you don’t mind being non-portable
to any other LDAP implementations. This is what I do in my own
corporate apps (despite the bad taste it leaves in my mouth).
I’ve done a couple of variations:
* Ask for “Username” and append the UPN suffix
* Ask for “UPN” and pass it through
* Ask for “Email Address” and hope they enter their
canonical address and not a special alias