Change DN in OpenLDAP “on the fly”How to configure Review Board running under linux to use a LDAP userHow...

Called into a meeting and told we are being made redundant (laid off) and "not to share outside". Can I tell my partner?

Area Under the Curve - Variable and Log Transformed Variable

Did Amazon pay $0 in taxes last year?

What is better: yes / no radio, or simple checkbox?

Are angels creatures (Mark 16:15) and can they repent (Rev 2:5 and Rom 8:21)

Is there a way to find out the age of climbing ropes?

What is the oldest European royal house?

How can friction do no work in case of pure rolling?

Is this nominative case or accusative case?

Replacing tantalum capacitor with ceramic capacitor for Op Amps

Has a sovereign Communist government ever run, and conceded loss, on a fair election?

Professor forcing me to attend a conference

Giving a talk in my old university, how prominently should I tell students my salary?

Why doesn't "adolescent" take any articles in "listen to adolescent agonising"?

What is Tony Stark injecting into himself in Iron Man 3?

How do we objectively assess if a dialogue sounds unnatural or cringy?

Quitting employee has privileged access to critical information

Can a Mexican citizen living in US under DACA drive to Canada?

What is the purpose of a disclaimer like "this is not legal advice"?

What's the best tool for cutting holes into duct work?

Where do you go through passport control when transiting through another Schengen airport on your way out of the Schengen area?

Computing the volume of a simplex-like object with constraints

“I had a flat in the centre of town, but I didn’t like living there, so …”

What is the meaning of option 'by' in TikZ Intersections



Change DN in OpenLDAP “on the fly”


How to configure Review Board running under linux to use a LDAP userHow do I get Bugzilla to authenticate with Active Directory LDAP?Kunagi LDAP configuration problemsldapquery an Active Directory server for users that belongs to a group named XLiferay and export LDAP accountJenkins: LDAP username/email lookupNagios 3.2.3 Core web interface login via LDAP using full names for usernameAuth fail on Samba server with LDAP backend‏Freenas 11 + samba4 AD DC - Can't contact LDAP serverOpenLdap Configuration Issue













2















I'm a newbie in LDAP and I have the following issue:



I use OpenLDAP as a caching proxy for remote Active Directory.



And the full DN of a user is like "cn=Doe, John,ou=users,ou=others,dc=company,dc=com", while the uid (sAMAccountName) is the short form of first and second name. For example John Doe will be jdoe.



I already have SVN server, Bugzilla and ReviewBoard working fine with this because they have many setting for LDAP support. But now I'm trying to set up the YouTrack and there is a lack of LDAP settings in it.



I want to be able to log in the YouTrack using the short form login (like "jdoe"), but when I set the transform string in YouTrack as "sAMAccountName=$login$,ou=users,ou=others,dc=company,dc=com" I have the following error all the time:




[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e, v1db1]
which is “invalid credentials”.




But if I specify the full name explicitly in the transform string I can log in (but no one else of course):



"cn=Doe, John,ou=users,ou=others,dc=company,dc=com"


So, my question is:
Can I modify the DN of a user "on the fly" in order to have something like this for example:



"cn=jdoe,ou=users,ou=others,dc=company,dc=com"


?






ldap openldap







share|improve this question














bumped to the homepage by Community 18 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
















  • Sun used to have a LDAP Proxy product as part of the Sun ONE Directory suite. I believe Oracle still has it as a product - they did about a year ago. It had provision for modifying some data on the fly. I can't recall if it was just field names or if it was actual data as well. That maybe useful, but there'd probably be a license to use operationally (we had a site license so I just grabbed what I wanted).

    – Jason Tan
    Jul 5 '13 at 14:44











  • Thank you, but unfortunately this is not the case for me :(

    – GooRoo
    Jul 5 '13 at 15:29
















2















I'm a newbie in LDAP and I have the following issue:



I use OpenLDAP as a caching proxy for remote Active Directory.



And the full DN of a user is like "cn=Doe, John,ou=users,ou=others,dc=company,dc=com", while the uid (sAMAccountName) is the short form of first and second name. For example John Doe will be jdoe.



I already have SVN server, Bugzilla and ReviewBoard working fine with this because they have many setting for LDAP support. But now I'm trying to set up the YouTrack and there is a lack of LDAP settings in it.



I want to be able to log in the YouTrack using the short form login (like "jdoe"), but when I set the transform string in YouTrack as "sAMAccountName=$login$,ou=users,ou=others,dc=company,dc=com" I have the following error all the time:




[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e, v1db1]
which is “invalid credentials”.




But if I specify the full name explicitly in the transform string I can log in (but no one else of course):



"cn=Doe, John,ou=users,ou=others,dc=company,dc=com"


So, my question is:
Can I modify the DN of a user "on the fly" in order to have something like this for example:



"cn=jdoe,ou=users,ou=others,dc=company,dc=com"


?






ldap openldap







share|improve this question














bumped to the homepage by Community 18 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
















  • Sun used to have a LDAP Proxy product as part of the Sun ONE Directory suite. I believe Oracle still has it as a product - they did about a year ago. It had provision for modifying some data on the fly. I can't recall if it was just field names or if it was actual data as well. That maybe useful, but there'd probably be a license to use operationally (we had a site license so I just grabbed what I wanted).

    – Jason Tan
    Jul 5 '13 at 14:44











  • Thank you, but unfortunately this is not the case for me :(

    – GooRoo
    Jul 5 '13 at 15:29














2












2








2








I'm a newbie in LDAP and I have the following issue:



I use OpenLDAP as a caching proxy for remote Active Directory.



And the full DN of a user is like "cn=Doe, John,ou=users,ou=others,dc=company,dc=com", while the uid (sAMAccountName) is the short form of first and second name. For example John Doe will be jdoe.



I already have SVN server, Bugzilla and ReviewBoard working fine with this because they have many setting for LDAP support. But now I'm trying to set up the YouTrack and there is a lack of LDAP settings in it.



I want to be able to log in the YouTrack using the short form login (like "jdoe"), but when I set the transform string in YouTrack as "sAMAccountName=$login$,ou=users,ou=others,dc=company,dc=com" I have the following error all the time:




[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e, v1db1]
which is “invalid credentials”.




But if I specify the full name explicitly in the transform string I can log in (but no one else of course):



"cn=Doe, John,ou=users,ou=others,dc=company,dc=com"


So, my question is:
Can I modify the DN of a user "on the fly" in order to have something like this for example:



"cn=jdoe,ou=users,ou=others,dc=company,dc=com"


?






ldap openldap







share|improve this question














I'm a newbie in LDAP and I have the following issue:



I use OpenLDAP as a caching proxy for remote Active Directory.



And the full DN of a user is like "cn=Doe, John,ou=users,ou=others,dc=company,dc=com", while the uid (sAMAccountName) is the short form of first and second name. For example John Doe will be jdoe.



I already have SVN server, Bugzilla and ReviewBoard working fine with this because they have many setting for LDAP support. But now I'm trying to set up the YouTrack and there is a lack of LDAP settings in it.



I want to be able to log in the YouTrack using the short form login (like "jdoe"), but when I set the transform string in YouTrack as "sAMAccountName=$login$,ou=users,ou=others,dc=company,dc=com" I have the following error all the time:




[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e, v1db1]
which is “invalid credentials”.




But if I specify the full name explicitly in the transform string I can log in (but no one else of course):



"cn=Doe, John,ou=users,ou=others,dc=company,dc=com"


So, my question is:
Can I modify the DN of a user "on the fly" in order to have something like this for example:



"cn=jdoe,ou=users,ou=others,dc=company,dc=com"


?






ldap openldap




ldap openldap






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jul 5 '13 at 14:35









GooRooGooRoo

1113




1113





bumped to the homepage by Community 18 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.







bumped to the homepage by Community 18 mins ago


This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.















  • Sun used to have a LDAP Proxy product as part of the Sun ONE Directory suite. I believe Oracle still has it as a product - they did about a year ago. It had provision for modifying some data on the fly. I can't recall if it was just field names or if it was actual data as well. That maybe useful, but there'd probably be a license to use operationally (we had a site license so I just grabbed what I wanted).

    – Jason Tan
    Jul 5 '13 at 14:44











  • Thank you, but unfortunately this is not the case for me :(

    – GooRoo
    Jul 5 '13 at 15:29



















  • Sun used to have a LDAP Proxy product as part of the Sun ONE Directory suite. I believe Oracle still has it as a product - they did about a year ago. It had provision for modifying some data on the fly. I can't recall if it was just field names or if it was actual data as well. That maybe useful, but there'd probably be a license to use operationally (we had a site license so I just grabbed what I wanted).

    – Jason Tan
    Jul 5 '13 at 14:44











  • Thank you, but unfortunately this is not the case for me :(

    – GooRoo
    Jul 5 '13 at 15:29

















Sun used to have a LDAP Proxy product as part of the Sun ONE Directory suite. I believe Oracle still has it as a product - they did about a year ago. It had provision for modifying some data on the fly. I can't recall if it was just field names or if it was actual data as well. That maybe useful, but there'd probably be a license to use operationally (we had a site license so I just grabbed what I wanted).

– Jason Tan
Jul 5 '13 at 14:44





Sun used to have a LDAP Proxy product as part of the Sun ONE Directory suite. I believe Oracle still has it as a product - they did about a year ago. It had provision for modifying some data on the fly. I can't recall if it was just field names or if it was actual data as well. That maybe useful, but there'd probably be a license to use operationally (we had a site license so I just grabbed what I wanted).

– Jason Tan
Jul 5 '13 at 14:44













Thank you, but unfortunately this is not the case for me :(

– GooRoo
Jul 5 '13 at 15:29





Thank you, but unfortunately this is not the case for me :(

– GooRoo
Jul 5 '13 at 15:29










1 Answer
1






active

oldest

votes


















0














Even though this question might be a little old, I've come up with a few thoughts on this. Maybe it will help somebody in the future:




  1. You could simply modify the DN by using ldapmodify with
    changetype: moddn or modrdn providing the new DN (newrdn).
    More information on this can be found in bulletpoint number 4 in
    here: http://www.zytrax.com/books/ldap/ch8/#changetype

  2. You could use the "rwm" overlay in OpenLDAP. This lets you either rewrite your DN, massage the suffix or even provide a virtual view on your data. Check man 5 slapo-rwm. This thing is really powerfull!

  3. Another way would be to set up an alias for the initial entry. cn=jdoe,ou=users,ou=others,dc=company,dc=com could be of object class "alias" and have your initial account written in the attribute aliasedObjectName. All you would need to do in this case would be to check, whether the ldapsearch operation follows referrals or not.


On my server I have a similar setup and chose the 3rd way. To have it completely clean, I created my own schema where I have a dedicated alias object class for this which provides the necessary additional fields.






share|improve this answer























    Your Answer








    StackExchange.ready(function() {
    var channelOptions = {
    tags: "".split(" "),
    id: "2"
    };
    initTagRenderer("".split(" "), "".split(" "), channelOptions);

    StackExchange.using("externalEditor", function() {
    // Have to fire editor after snippets, if snippets enabled
    if (StackExchange.settings.snippets.snippetsEnabled) {
    StackExchange.using("snippets", function() {
    createEditor();
    });
    }
    else {
    createEditor();
    }
    });

    function createEditor() {
    StackExchange.prepareEditor({
    heartbeatType: 'answer',
    autoActivateHeartbeat: false,
    convertImagesToLinks: true,
    noModals: true,
    showLowRepImageUploadWarning: true,
    reputationToPostImages: 10,
    bindNavPrevention: true,
    postfix: "",
    imageUploader: {
    brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
    contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
    allowUrls: true
    },
    onDemand: true,
    discardSelector: ".discard-answer"
    ,immediatelyShowMarkdownHelp:true
    });


    }
    });














    draft saved

    draft discarded


















    StackExchange.ready(
    function () {
    StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f521101%2fchange-dn-in-openldap-on-the-fly%23new-answer', 'question_page');
    }
    );

    Post as a guest















    Required, but never shown

























    1 Answer
    1






    active

    oldest

    votes








    1 Answer
    1






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    0














    Even though this question might be a little old, I've come up with a few thoughts on this. Maybe it will help somebody in the future:




    1. You could simply modify the DN by using ldapmodify with
      changetype: moddn or modrdn providing the new DN (newrdn).
      More information on this can be found in bulletpoint number 4 in
      here: http://www.zytrax.com/books/ldap/ch8/#changetype

    2. You could use the "rwm" overlay in OpenLDAP. This lets you either rewrite your DN, massage the suffix or even provide a virtual view on your data. Check man 5 slapo-rwm. This thing is really powerfull!

    3. Another way would be to set up an alias for the initial entry. cn=jdoe,ou=users,ou=others,dc=company,dc=com could be of object class "alias" and have your initial account written in the attribute aliasedObjectName. All you would need to do in this case would be to check, whether the ldapsearch operation follows referrals or not.


    On my server I have a similar setup and chose the 3rd way. To have it completely clean, I created my own schema where I have a dedicated alias object class for this which provides the necessary additional fields.






    share|improve this answer




























      0














      Even though this question might be a little old, I've come up with a few thoughts on this. Maybe it will help somebody in the future:




      1. You could simply modify the DN by using ldapmodify with
        changetype: moddn or modrdn providing the new DN (newrdn).
        More information on this can be found in bulletpoint number 4 in
        here: http://www.zytrax.com/books/ldap/ch8/#changetype

      2. You could use the "rwm" overlay in OpenLDAP. This lets you either rewrite your DN, massage the suffix or even provide a virtual view on your data. Check man 5 slapo-rwm. This thing is really powerfull!

      3. Another way would be to set up an alias for the initial entry. cn=jdoe,ou=users,ou=others,dc=company,dc=com could be of object class "alias" and have your initial account written in the attribute aliasedObjectName. All you would need to do in this case would be to check, whether the ldapsearch operation follows referrals or not.


      On my server I have a similar setup and chose the 3rd way. To have it completely clean, I created my own schema where I have a dedicated alias object class for this which provides the necessary additional fields.






      share|improve this answer


























        0












        0








        0







        Even though this question might be a little old, I've come up with a few thoughts on this. Maybe it will help somebody in the future:




        1. You could simply modify the DN by using ldapmodify with
          changetype: moddn or modrdn providing the new DN (newrdn).
          More information on this can be found in bulletpoint number 4 in
          here: http://www.zytrax.com/books/ldap/ch8/#changetype

        2. You could use the "rwm" overlay in OpenLDAP. This lets you either rewrite your DN, massage the suffix or even provide a virtual view on your data. Check man 5 slapo-rwm. This thing is really powerfull!

        3. Another way would be to set up an alias for the initial entry. cn=jdoe,ou=users,ou=others,dc=company,dc=com could be of object class "alias" and have your initial account written in the attribute aliasedObjectName. All you would need to do in this case would be to check, whether the ldapsearch operation follows referrals or not.


        On my server I have a similar setup and chose the 3rd way. To have it completely clean, I created my own schema where I have a dedicated alias object class for this which provides the necessary additional fields.






        share|improve this answer













        Even though this question might be a little old, I've come up with a few thoughts on this. Maybe it will help somebody in the future:




        1. You could simply modify the DN by using ldapmodify with
          changetype: moddn or modrdn providing the new DN (newrdn).
          More information on this can be found in bulletpoint number 4 in
          here: http://www.zytrax.com/books/ldap/ch8/#changetype

        2. You could use the "rwm" overlay in OpenLDAP. This lets you either rewrite your DN, massage the suffix or even provide a virtual view on your data. Check man 5 slapo-rwm. This thing is really powerfull!

        3. Another way would be to set up an alias for the initial entry. cn=jdoe,ou=users,ou=others,dc=company,dc=com could be of object class "alias" and have your initial account written in the attribute aliasedObjectName. All you would need to do in this case would be to check, whether the ldapsearch operation follows referrals or not.


        On my server I have a similar setup and chose the 3rd way. To have it completely clean, I created my own schema where I have a dedicated alias object class for this which provides the necessary additional fields.







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Dec 2 '16 at 13:43









        dim-0dim-0

        473210




        473210






























            draft saved

            draft discarded




















































            Thanks for contributing an answer to Server Fault!


            • Please be sure to answer the question. Provide details and share your research!

            But avoid



            • Asking for help, clarification, or responding to other answers.

            • Making statements based on opinion; back them up with references or personal experience.


            To learn more, see our tips on writing great answers.




            draft saved


            draft discarded














            StackExchange.ready(
            function () {
            StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f521101%2fchange-dn-in-openldap-on-the-fly%23new-answer', 'question_page');
            }
            );

            Post as a guest















            Required, but never shown





















































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown

































            Required, but never shown














            Required, but never shown












            Required, but never shown







            Required, but never shown







            -

            Popular posts from this blog

            As a Security Precaution, the user account has been locked The Next CEO of Stack OverflowMS...

            Image
            Could a dragon use its wings to swim? Is it a bad idea to plug the other end of ESD strap to wall ground? How can I prove that a state of equilibrium is unstable? Compilation of a 2d array and a 1d array pgfplots: How to draw a tangent graph below two others? How dangerous is XSS Gauss' Posthumous Publications? How to implement Comparable so it is consistent with identity-equality What does this strange code stamp on my passport mean? "Eavesdropping" vs "Listen in on" Which acid/base does a strong base/acid react when added to a buffer solution?
            Read more

            Список ссавців Італії Природоохоронні статуси | Список |...

            Image
            Списки ссавцівФауна ІталіїСписки:ІталіяСсавці Італії ІталіїМСОПХижіCetartiodactylaРукокриліКомахоїдніЗайцеподібніГризуниМСОП ссавці Італії ? Італія Біорегіон Біогеографічний екорегіон Голарктика Екозона Палеарктика Біом субтропічний ліс, альпійські луки, прісні води, континентальний шельф, континентальний схил Місцевість Континент Європа Країна Італія Територія Середземне море Фауна більшого обсягу За географією фауна Європи За систематикою ссавці, фауна Італії За екологією суходільна фауна, морська фауна За біогеографією теріофауна Європи Геологічний вік сучасність Особливості Видовий обсяг 121 Чужорідні види Genetta genetta, Ondatra zibethicus, Oryctolagus cuniculus, Rattus norvegicus, Rattus rattus, Sciurus carolinensis, Tamias sibiricus Список ссавців Італії містить перелік видів, записаних на території Італії (південна Європа) згідно з
            Read more

            Українські прізвища Зміст Історичні відомості |...

            Image
            АдигськіАбхазькіАзербайджанські [en] Албанські [en] АлтайськіАмериканські [en] Афроамериканські [en] АнглійськіАрабськіБашкирськіБілоруські [en] прізвищаБолгарські [en] БоснійськіБурятськіВельські [en] ВепськіВ'єтнамські [en] Вірменські [en] Гавайські [en] ГолландськіГрецькіГрузинськіДанськіЕстонськіЄврейські [en] Юдейські [en] Ефіопія/Еритрея [en] Зімбабвійські [en] Індіанські [en] ІндійськіІндонезійські [en] Ірландські [en] ІсландськіІспанські і португальськіІталійськіКалмицькі [en] КарельськіКазахськіКамбоджійські [en] Канадські [en] КіргизькіКитайські [en] КоміКорейськіЛатиськіЛитовські [en] Лаоські [en] МарійськіМакедонські [en] Малазійські [en] Монгольські [en] МордовськіНімецькіНорвезькіОсетинськіПерські [en] ПольськіПрибалтійськіПортугальськіРосійськіпрізвищаРумунськіСербськіСкандинавськіСлов'янськіСахаСловацькі [en] Сомалійські [en] ТайванськіТайські [en] Татарські [en] ТибетськіТувинськіТурецькі [en] УгорськіУдмуртськіУкраїнськіпрізвищаФіджійські [en] ФінськіФранцузьк
            Read more