Bind with a unique attribute value

Edit online

You can use an attribute with a unique value and password, instead of the distinguished name (DN) and password, to bind to a directory server. A DN value can be long, and a unique attribute value might be easier to remember.

Restriction: A bind operation with a unique attribute value is not supported by proxy servers.

To use an attribute with a unique value and password in bind operations, you must:

  • Identify an attribute with a unique value in the directory server instance.
  • Configure the ibm-slapdUniqueAttrForBindWithValue attribute under the cn=Configuration entry and set its value with an attribute that contains a unique value. For example, use attributes that contain a unique value, such as mail or uid. You can assign multivalued attributes in the ibm-slapdUniqueAttrForBindWithValue attribute, but the values in the multivalued attributes must be unique.
Attention: Do not assign the ibm-slapdUniqueAttrForBindWithValue attribute with the following attribute types:
  • An attribute that uses the = character in the attribute value.
  • An encrypted attribute.

To change the attribute for bind operations, modify the ibm-slapdUniqueAttrForBindWithValue attribute value and restart the directory server and the administration server.

The following example shows the cn=Configuration entry with the ibm-slapdUniqueAttrForBindWithValue attribute:

dn: cn=Configuration
cn: Configuration
ibm-slapdAdminDN: cn=root
ibm-slapdAdminGroupEnabled: true
ibm-slapdAdminPW: {AES256}0iBLFmJJXwLM5eocBxeJZw==
...
...
ibm-slapdTimeLimit: 900
ibm-slapdTraceMessageLevel: 0xFFFF
ibm-slapdTraceMessageLog: /home/dsrdbm01/idsslapd-dsrdbm01/logs/traceibmslapd.log
ibm-slapdUniqueAttrForBindWithValue: mail
ibm-slapdVersion: 6.4
objectclass: top
objectclass: ibm-slapdConfigEntry
objectclass: ibm-slapdTop

Error codes

When you use an attribute for bind operations, the directory server generates an LDAP_INVALID_CREDENTIALS error for the following reasons:

  • The attribute that is used for the bind operation is not associated with any entry.
  • The password is incorrect.
  • The attribute does not contain a unique value or multiple entries are associated with the attribute value.

The error messages are also recorded in the ibmslapd.log file.

If a directory server generates an error for any other conditions, the server returns the LDAP_INVALID_CREDENTIALS error code. If you activate the server trace, the error messages are also logged in the traceibmslapd.log file.

Audit log entries for bind with a unique attribute value

For security purposes, you can enable the audit log to record all failed and successful operations against a directory server. The server records the following attributes in the audit log file for operations that result in a bind against the server with a unique attribute value:

  • bindDN: unique_attr_value
  • name: DN_entry_value

The bindDN entry records the unique_attr_value, which was used to bind against the server. The name entry records the DN entry that is associated with the unique attribute value. The following example shows the audit record with the values:

AuditV3--2013-05-20-21:43:38.903+5:30--V3 Bind--bindDN: al.garcia@sample.com
 --client: 127.0.0.1:17042--connectionID: 2--received: 2013-05-20-21:43:38.881+5:30
 --Success
controlType: 1.3.6.1.4.1.42.2.27.8.5.1
criticality: false
name: cn=Al Garcia, ou=Home Entertainment, ou=Austin, o=sample
authenticationChoice: simple
AuditV3--2013-05-20-21:43:38.961+5:30--V3 Search--bindDN: al.garcia@sample.com
 --client: 127.0.0.1:17042--connectionID: 2--received: 2013-05-20-21:43:38.896+5:30
 --Success
controlType: 1.3.6.1.4.1.42.2.27.8.5.1
criticality: false
base: o=sample
scope: wholeSubtree
derefAliases: neverDerefAliases
typesOnly: false
filter: (objectclass=*)
numberOfEntriesReturned: 2
AuditV3--2013-05-20-21:43:38.962+5:30--V3 Unbind--bindDN: al.garcia@sample.com
 --client: 127.0.0.1:17042--connectionID: 2--received: 2013-05-20-21:43:38.962+5:30
 --Success

Bind with a unique attribute value for pass-through authentication

You can use the attribute that is configured for bind operations to authenticate against an authentication server. Instead of the DN value and password, use the unique attribute value and password for bind operations.

If the user entry is not available on the authentication server, the server generates an error. For pass-through authentication with a unique attribute value and password, the entry must be available on the authenticating server.