I'm working with a third party vendor trying to configure LDAP
authentication using the email address attribute instead of a full dn or
even a short name. We have a secure connection established and using
ldapsearch the vendor is able to pull user objects with all of their
attributes, including the mail attribute.

What I'm not clear about is whether eDirectory will allow authentication
using the mail attribute, and if not is there a way to accomplish this
at all?

New TLS connection 0x168aea80 from, monitor = 0x9eccb700,
index = 12
Monitor 0x9eccb700 initiating TLS handshake on connection 0x168aea80
( DoTLSHandshake on connection 0x168aea80
BIO ctrl called with unknown cmd 7
( Completed TLS handshake on connection
( DoBind on connection 0x168aea80
( Bind name:JoeSmith, version:3,
Illegal ndsname "JoeSmith" in ldap2uNDSDN, err = 34 (0x22)
ldap2uNDSDN ldapDN = "JoeSmith" - error 34 (0x22)
( Failed to convert LDAP DN "JoeSmith" in
nds_back_bind, err = 34 (0x22)
( Sending operation result 34:"":"" to
connection 0x168aea80
( TLS read failure 5 on connection
0x168aea80, setting err = -5875. Error stack:
Monitor 0x9eccb700 found connection 0x168aea80 socket failure, err =
-5875, 0 of 0 bytes read
Monitor 0x9eccb700 initiating close for connection 0x168aea80
Server closing connection 0x168aea80, socket error = -5875

This connection will work fine if I use the DN as the login, but I don't
want to have to do that. Would the LDAP configuration on the vendor side
need to read the mail attribute, retrieve the DN and use that to

Any assistance is appreciated.


dlietz's Profile: https://forums.netiq.com/member.php?userid=917
View this thread: https://forums.netiq.com/showthread.php?t=54721