Guest access to search for DNs

Guest access to search for DNs In an LDAP system, users are hierarchically organized in the directory as a set of entries. An entry is a set of name-attribute pairs identified by a unique name, called a DN (distinguished name).

An entry is unambiguously identified by a DN, which is the concatenation of selected attributes from each entry in the tree along a path leading from the root down to the named entry, ordered from right to left. For example, a DN for a user might look like this:

cn=mary,ou=People,o=example.com uid=mary,ou=People,o=example.com

The allowable entries for the name are defined by the entry's objectClass.

An LDAP client can bind to the directory (successfully log in) if it provides a user ID and password. The user ID must be a DN, the fully qualified list of names and attributes. This means that the user must provide a very long name.

Typically, the user knows only a simple user name (e.g., the first part of the DN above, mary). With , you do not need the full DN, because an LDAP client () can go to the directory first as a guest or even an anonymous user, search for the full DN, then rebind to the directory using the full DN (and thus authenticate the user).

typically initiates a search for a full DN before binding to the directory using the full DN for user authentication. does not initiate a search in the following cases:

You have set derby.authentication.ldap.searchFilter to derby.user.
A user DN has been cached locally for the specific user with the derby.user.UserName property.

For more information, see "derby.authentication.ldap.searchFilter" in the .

Some systems permit anonymous searches; other require a user DN and password. You can specify a user's DN and password for the search with the properties listed below. In addition, you can limit the scope of the search by specifying a filter (definition of the object class for the user) and a base (directory from which to begin the search) with the properties listed below.

derby.authentication.ldap.searchAuthDN (optional)
Specifies the DN with which to bind (authenticate) to the server when searching for user DNs. This parameter is optional if anonymous access is supported by your server. If specified, this value must be a DN recognized by the directory service, and it must also have the authority to search for the entries.

If not set, it defaults to an anonymous search using the root DN specified by the derby.authentication.ldap.searchBase property. For example:
uid=guest,o=example.com
derby.authentication.ldap.searchAuthPW (optional)
Specifies the password to use for the guest user configured above to bind to the directory service when looking up the DN. If not set, it defaults to an anonymous search using the root DN specified by the derby.authentication.ldap.searchBase property.
myPassword
derby.authentication.ldap.searchBase (optional)
Specifies the root DN of the point in your hierarchy from which to begin a guest search for the user's DN. For example:
ou=people,o=example.com
When using Netscape Directory Server, set this property to the root DN, the special entry to which access control does not apply (optional).

To narrow the search, you can specify a user's objectClass.

derby.authentication.ldap.searchFilter (optional)
Set derby.authentication.ldap.searchFilter to a logical expression that specifies what constitutes a user for your LDAP directory service. The default value of this property is objectClass=inetOrgPerson. For example:
objectClass=person

See the for details on all these properties.