tis 2009-09-22 klockan 13:31 -0500 skrev Dale Mahalko: > We don't have domain controllers in novell's eDir, so "dc=" appears to > be the wrong identifier for Novell's LDAP. dc= is "Domain Component", not related to Domain Controllers. It's just a different way of naming the LDAP tree, using the DNS name of the organisation. This model makes it easier to interoperate between different LDAP trees of different organisations compared to the o= model. > Instead, we have this thing called the Tree and the Org at the top > level. I've played with trying random guesses like > "cn=foo,ou=accounts,o=myorg,t=mytree" and it doesn't work. Before using squid_ldap_auth I would recommend exploring your LDAP server a bit using a LDAP browser. Most LDAP browsers can automatically tell you what prefixes is being published. > And does using "uid=" or "cn=" make a difference with AD vs eDir? Yes. Which one to use depends on the structure of the LDAP tree. > Also, what's with the commas and periods in LDAP vs Novell? Does it matter? > > Novell eDirectory: cn=user.ou=orgunit.o=org.t=tree > LDAP: uid=some-user,ou=People,dc=yourcompany,dc=com LDAP syntax is with comma. > Novell eDirectory permits spaces in the names of objects. How do you > deal with spaces in LDAP objects from the command line? Do you wrap > the individual item with quotes or the whole LDAP path/context in > quotes? As you like. a" "b and "a b" and a\ b is all the same thing in shell syntax. But quoting the whole argument is recommended > Also what is the debug option in the LDAP authenticator supposed to be > used for? It does not appear to generate any useful output. I am > looking for extensive debugging information to tell me why and how > exactly it is or isn't working, like this: It is not far from what you ask for. The -d option gives feedback on * Search filter used, and the search base DN. * Warns if the LDAP search returned nothing * If search successful it tells which user DN it's trying to bind to for verifying the password. If you are using a search bind DN then the helper always warns if failing to bind to that DN before performing the search. No -d option needed for that warning. Regards Henrik
