password plugin user DN search
|Reported by:||ncl||Owned by:|
As pointed out in Ticket #1486306 the password_ldap_userDN_mask setting enforces an unnecessary restriction i.e. user's DN must be expressable as a template using only %login or %name, %domain variables.
This is ridiculous in large setups where user's DN often cannot be simply derived from login. A common problem might be user accounts under different organizationalUnits, for example:
In Ticket #1486306 anonymous binds were proposed to solve this problem. However, they might be disabled in server configuration for security reasons. Ideal solution would be:
- Bind with specific dn and pass (if empty then anonymous?)
- Find users dn by searching for something like (uid=%login)
- Rebind as user to change password