Once bug 135778 gets checked in, LDAP autocomplete and addressbook code will support authentication by using the bind DN specified in the prefs panel for a given server. LDAP replication, in contrast, will do a search based on email address to figure out the bind DN to use, and will ignore the one in preferences. All LDAP features should actually support both methods. See also bug 146564.
Why does it use an email address instead of a uid? I would think authentication by uid would be more important than authentication by the mail attribute.
jgmyers: Email address was used for LDAP replication because that's the way 4.x worked. In bug 135778, mcs said this: > It would be really good to be more flexible than 4.x; perhaps: > > a) If the string looks like a DN, just use it without searching. > b) Otherwise, insert the value into a configurable filter string and > do a search. For example, the configuration could look like: > (&(objectClass=person)(mail=%s)) // default? > or (&(objectClass=person)(uid=%s)) // user id based search > > I think that is basically what dmose suggested, with the addition that the > search filter should be configurable (ideally). > > sspitzer wrote: > > 2) how would we tell a bind dn from a email address? > > (does a bind dn start with "dn=..." > > (no) But you can look for tag=value, at the start of a string to make a pretty > good guess that it is a DN and not an email address or some other value. I like the idea of searching for either uid or mail address being set to the value in question.
Assigning bugs that I'm not actively working on back to nobody; use SearchForThis as a search term if you want to delete all related bugmail at once.
This has been fixed already by various bugs. In short we now have an nsAbLDAPListenerBase class that all current LDAP functions use, hence a consistent authentication method. http://mxr.mozilla.org/seamonkey/find?string=nsAbLDAPListenerBase&tree=seamonkey Marking as WFM as I don't have the exact bug numbers that fixed this.