Bind with a unique attribute value
You can use an attribute with a unique value and password, instead of the distinguished name (DN) and password, to bind to a directory server. A DN value can be long, and a unique attribute value might be easier to remember.
To use an attribute with a unique value and password in bind operations, you must:
- Identify an attribute with a unique value in the directory server instance.
- Configure
the
ibm-slapdUniqueAttrForBindWithValue
attribute under thecn=Configuration
entry and set its value with an attribute that contains a unique value. For example, use attributes that contain a unique value, such asmail
oruid
. You can assign multivalued attributes in theibm-slapdUniqueAttrForBindWithValue
attribute, but the values in the multivalued attributes must be unique.
ibm-slapdUniqueAttrForBindWithValue
attribute
with the following attribute types: - An attribute that uses the
=
character in the attribute value. - An encrypted attribute.
To change the attribute for bind operations, modify the ibm-slapdUniqueAttrForBindWithValue
attribute
value and restart the directory server and the administration server.
The following example shows the cn=Configuration
entry
with the ibm-slapdUniqueAttrForBindWithValue
attribute:
dn: cn=Configuration
cn: Configuration
ibm-slapdAdminDN: cn=root
ibm-slapdAdminGroupEnabled: true
ibm-slapdAdminPW: {AES256}0iBLFmJJXwLM5eocBxeJZw==
...
...
ibm-slapdTimeLimit: 900
ibm-slapdTraceMessageLevel: 0xFFFF
ibm-slapdTraceMessageLog: /home/dsrdbm01/idsslapd-dsrdbm01/logs/traceibmslapd.log
ibm-slapdUniqueAttrForBindWithValue: mail
ibm-slapdVersion: 6.4
objectclass: top
objectclass: ibm-slapdConfigEntry
objectclass: ibm-slapdTop
Error codes
When you use
an attribute for bind operations, the directory server generates an LDAP_INVALID_CREDENTIALS
error
for the following reasons:
- The attribute that is used for the bind operation is not associated with any entry.
- The password is incorrect.
- The attribute does not contain a unique value or multiple entries are associated with the attribute value.
The
error messages are also recorded in the ibmslapd.log
file.
If
a directory server generates an error for any other conditions, the
server returns the LDAP_INVALID_CREDENTIALS
error
code. If you activate the server trace, the error messages are also
logged in the traceibmslapd.log
file.
Audit log entries for bind with a unique attribute value
For security purposes, you can enable the audit log to record all failed and successful operations against a directory server. The server records the following attributes in the audit log file for operations that result in a bind against the server with a unique attribute value:
bindDN: unique_attr_value
name: DN_entry_value
The bindDN
entry
records the unique_attr_value
,
which was used to bind against the server. The name
entry
records the DN entry that is associated with the unique attribute
value. The following example shows the audit record with the values:
AuditV3--2013-05-20-21:43:38.903+5:30--V3 Bind--bindDN: al.garcia@sample.com
--client: 127.0.0.1:17042--connectionID: 2--received: 2013-05-20-21:43:38.881+5:30
--Success
controlType: 1.3.6.1.4.1.42.2.27.8.5.1
criticality: false
name: cn=Al Garcia, ou=Home Entertainment, ou=Austin, o=sample
authenticationChoice: simple
AuditV3--2013-05-20-21:43:38.961+5:30--V3 Search--bindDN: al.garcia@sample.com
--client: 127.0.0.1:17042--connectionID: 2--received: 2013-05-20-21:43:38.896+5:30
--Success
controlType: 1.3.6.1.4.1.42.2.27.8.5.1
criticality: false
base: o=sample
scope: wholeSubtree
derefAliases: neverDerefAliases
typesOnly: false
filter: (objectclass=*)
numberOfEntriesReturned: 2
AuditV3--2013-05-20-21:43:38.962+5:30--V3 Unbind--bindDN: al.garcia@sample.com
--client: 127.0.0.1:17042--connectionID: 2--received: 2013-05-20-21:43:38.962+5:30
--Success
Bind with a unique attribute value for pass-through authentication
You can use the attribute that is configured for bind operations to authenticate against an authentication server. Instead of the DN value and password, use the unique attribute value and password for bind operations.
If the user entry is not available on the authentication server, the server generates an error. For pass-through authentication with a unique attribute value and password, the entry must be available on the authenticating server.