I'm working with an LDAP implementation where a single UID may have several records in the LDAP database, one is with no ou= attributes, that (I think) holds the password and no to several further records with same uid= and different ou= attributes.
I believe the ou= is used to form some grouping.
With several application this cause no problems. CISCO FW's and FW-1 can handle this design OK, but one vendor claims it to be problematic.
If you do a ldapsearch for the uid, often but now always, with the record without the ou= be the first to be returned, then followed by the ou= records.
Occasional - for example when the password have been changed - the order in which the records are returned change, so that one of the ou= records comes first and then at some point - the record with no ou= attribute are returned.
The vendor in question do a search and use the first record returned as template for the binding to verify the userid and password. However - if you do not use the record without the ou=, LDAP returns an "Inappropriate logon" - probably because the ou= record does not contain any password.
Could you please comment on this?
Is it within specifications to use LDAP and ou= attribute like it's done here?
Anyway for example via filters or others to enforce the records to come in sorted by ou= attribute?
I believe the ou= is used to form some grouping.
With several application this cause no problems. CISCO FW's and FW-1 can handle this design OK, but one vendor claims it to be problematic.
If you do a ldapsearch for the uid, often but now always, with the record without the ou= be the first to be returned, then followed by the ou= records.
Occasional - for example when the password have been changed - the order in which the records are returned change, so that one of the ou= records comes first and then at some point - the record with no ou= attribute are returned.
The vendor in question do a search and use the first record returned as template for the binding to verify the userid and password. However - if you do not use the record without the ou=, LDAP returns an "Inappropriate logon" - probably because the ou= record does not contain any password.
Could you please comment on this?
Is it within specifications to use LDAP and ou= attribute like it's done here?
Anyway for example via filters or others to enforce the records to come in sorted by ou= attribute?
