On Thu, Apr 10, 2008 at 04:08:11PM -0400, Liam Kelly ([log in to unmask]) said:
> It sounds like you just need to change:
>
> LDAP_PW_FILTER_EDIR     uid=%u
>
> to
>
> LDAP_PW_FILTER_EDIR     uid=%u,ou=People,dc=VCU,dc=edu
>
> As I understand it, LDAP_PW_BASE specifies the base for the directory
> search, but LDAP_PW_FILTER supplies the literal bind credentials.

Doesn't seem to work; LISTSERV says bad password,  Neither of the user's
loginTime or loginIntruderAttempts attributes seems to have been
affected[1].

Switching to the not-expected-to-work-but-we-have-logs openldap server,
I get this line:

conn=5066 op=0 SRCH base="dc=vcu,dc=edu" scope=2 filter="(uid=joeuser,ou=People,dc=VCU,dc=edu)"

Which does not get an entry back, and isn't going to work: the ou=People
etc stuff *shouldn't* be in there.  As I understand it (or rather, had
an LDAP guru explain to me), it should be in the base but not the filter
for the search for the user, but should be there for when we log the
user in.




[1] The loginTime of the application's dn as specified in LDAP_UID is
changing, though (which is as it was, and obviously a good thing).

>
> --
> Liam Kelly
> Senior Consulting Analyst
> L-Soft international
> [log in to unmask]
>
> ------------------
> Have a question?  Check out the LISTSERV, and F-Secure FAQs at
>       <http://www.lsoft.com/resources/faq.asp>
>

--
Jim Toth                                        [log in to unmask]
"We used to quip that "password" is the most common password.
Now it's 'password1.' Who said users haven't learned anything
about security?" -- Bruce Schneier