OpenLDAP Authentication UID vs CN issues

Question

I'm having trouble authenticating services using uid for authentication, which I thought was the standard method for authentication on the user. So basically, my users are added in ldap like this:

# jsmith, Users, example.com
dn: uid=jsmith,ou=Users,dc=example,dc=com
uidNumber: 10003
loginShell: /bin/bash
sn: Smith
mail: jsmith@example.com
homeDirectory: /home/jsmith
displayName: John Smith
givenName: John
uid: jsmith
gecos: John Smith
gidNumber: 10000
cn: John Smith
title: System Administrator

But when I try to authenticate using typical webapps or services like this:

jsmith
password

I get:

ldapsearch -x -h ldap.example.com -D "cn=jsmith,ou=Users,dc=example,dc=com" -W -b "dc=example,dc=com"
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

But if I use:

ldapsearch -x -h ldap.example.com -D "uid=jsmith,ou=Users,dc=example,dc=com" -W -b "dc=example,dc=com"

It works.

HOWEVER...most webapps and authentication methods seem to use another method. So on a webapp I'm using, unless I specify the user as: uid=smith,ou=users,dc=example,dc=com Nothing works.

In the webapp I just need users to put: jsmith in the user field.

Keep in mind my ldap is using the "new" cn=config method of storing settings. So if someone has an obvious ldif I'm missing please provide.

Let me know if you need further info. This is OpenLDAP on Ubuntu 12.04.

Answer 1

The ldapsearch tool in your example uses simple BIND to change the authorization state of the connection. The simple BIND operation requires the distinguished name and credentials. The distinguished name is uid=jsmith,ou=Users,dc=example,dc=com, not cn=jsmith,ou=Users,dc=example,dc=com in the entry given as example.

This directory server configuration causes the server to return the result code for invalid credentials when actually the distinguished name cn=jsmith,ou=Users,dc=example,dc=com doe not exist. This is the recommended configuration: it provides less information to an attacker.