Bind with a unique combination of attribute-value
You can use any unique attribute-value pair and password, instead of the distinguished name (DN) and password, to bind to a directory server.
This feature is similar to the feature explained in the earlier section named Bind with a unique attribute value.
To use an attribute-value pair and password in bind operations, you must:
- Identify an attribute-value pair that is unique in the directory server instance.
- Configure the
ibm-slapdBindWithUniqueAttrsEnabledattribute under thecn=Configurationentry and set its value to "true". - Restart the server and the administration server
- An
attribute that has the
=character in the attribute value. - An encrypted attribute.
- An attribute-value pair that is same as the administrative DN
configured for a Local administrative group member. For example, if
there is a Local administrative group member with administrative DN
cn=lagm1, and if there is a user in the directory server that has the value ofcnas"lagm1", then the bind operation with a combination ofcn=lagm1and the password of the user in the directory server fails because the server tries to verify the user credentials with the credentials of the Local administrative group member.
The
following example shows the cn=Configuration entry
with the ibm-slapdBindWithUniqueAttrsEnabled attribute:
dn: cn=Configuration
cn: Configuration
ibm-slapdAdminDN: cn=root
ibm-slapdAdminGroupEnabled: true
ibm-slapdAdminPW: {AES256}0iBLFmJJXwLM5eocBxeJZw==
...
...
ibm-slapdTimeLimit: 900
ibm-slapdTraceMessageLevel: 0xFFFF
ibm-slapdTraceMessageLog: /home/dsrdbm01/idsslapd-dsrdbm01/logs/traceibmslapd.log
ibm-slapdBindWithUniqueAttrsEnabled: true
ibm-slapdVersion: 6.4
objectclass: top
objectclass: ibm-slapdConfigEntry
objectclass: ibm-slapdTopError codes
When
you use an attribute-value pair for bind operations, the directory
server generates an LDAP_INVALID_CREDENTIALS error
for the following reasons:
- The attribute-value pair that is used for the bind operation is not associated with any entry.
- The password is incorrect.
- The attribute-value pair is not unique or multiple entries are associated with the attribute-value pair.
The
error messages are also recorded in the ibmslapd.log file.
If
a directory server generates an error for any other conditions, the
server returns the LDAP_INVALID_CREDENTIALS error
code. If you activate the server trace, then the error messages are
also logged in the traceibmslapd.log file.
Audit log entries for bind with a unique attribute value
For security purposes, you can enable the audit log to record all failed and successful operations against a directory server. The server records the following attributes in the audit log file for operations that result in a bind against the server with a unique attribute-value pair:
bindDN: unique_attr=attr_valuename: DN_entry_value
The bindDN entry
records the unique_attr=attr_value, which was used
to bind against the server. The name entry records
the DN entry that is associated with the unique attribute-value pair.
The following example shows the audit record with the values:
AuditV3--2013-05-20-21:43:38.903+5:30--V3 Bind--bindDN: mail=al.garcia@sample.com
--client: 127.0.0.1:17042--connectionID: 2--received: 2013-05-20-21:43:38.881+5:30
--Success
controlType: 1.3.6.1.4.1.42.2.27.8.5.1
criticality: false
name: cn=Al Garcia, ou=Home Entertainment, ou=Austin, o=sample
authenticationChoice: simple
AuditV3--2013-05-20-21:43:38.961+5:30--V3 Search--bindDN: al.garcia@sample.com
--client: 127.0.0.1:17042--connectionID: 2--received: 2013-05-20-21:43:38.896+5:30
--Success
controlType: 1.3.6.1.4.1.42.2.27.8.5.1
criticality: false
base: o=sample
scope: wholeSubtree
derefAliases: neverDerefAliases
typesOnly: false
filter: (objectclass=*)
numberOfEntriesReturned: 2
AuditV3--2013-05-20-21:43:38.962+5:30--V3 Unbind--bindDN: mail=al.garcia@sample.com
--client: 127.0.0.1:17042--connectionID: 2--received: 2013-05-20-21:43:38.962+5:30
--SuccessBind with a unique combination of attribute-value for pass-through authentication
You can use any unique attribute-value pair to authenticate against an authentication server. Instead of the DN value and password, use a unique attribute-value pair and password for bind operations.
If the user entry is not available on the authentication server, the server generates an error. For pass-through authentication with a unique attribute value and password, the entry must be available on the authenticating server.