From: Brian C. <B.C...@po...> - 2006-06-20 14:10:35
|
On Tue, Jun 20, 2006 at 07:56:43AM +0000, Emmanuel Dreyfus wrote: > On Tue, Jun 20, 2006 at 08:32:36AM +0100, Brian Candler wrote: > > > I immagined something such as this in the config file: > > > ldap_dn "cn=%l,dc=example,dc=net" > > This works for some directories, but generally these are examples of poor > > LDAP design. A well-designed directory will have an opaque DN which is > > unrelated to any attribute of the entry. The DN is essentially the "primary > > key" of the database, but all attributes are subject to change; you don't > > want to be in the situation where an object's DN has to change just because > > one attribute changes. > > Sure, but OTOH, that enable removing LDAP guest access, and it reduces the > number of requests. I just wonder if it could be of any interst for some > users. You don't need guest access; you insist that each client binds with its own (fixed) credentials, before performing the search. Those credentials are limited to compare access only. However, I didn't look whether the patch implements this, or just makes an anonymous connection. Few other LDAP applications that I've come across have this fixed username-to-DN mapping. Regards, Brian. |