How to configure LDAP in ApacheDS to use uid for authentication?

Question

When adding a new user under the dc=example,dc=com using Apache Directory Studio, I have this tree structure:

dc=example,dc=com
|-- ou = engineering
     |-- cn = Lawrence K.H Loh+o=IKEA+sn=Loh+uid=lawrence+displayName=Lawrence

Below is the attribute list for the cn.

1. objectClass = inetOrgPerson
2. objectClass = organizationalPerson
3. objectClass = person
4. objectClass = top
5. cn = Lawrence K.H Loh
6. sn = Loh
7. displayName = Lawrence
8. o = IKEA
9. uid = lawrence
10. userPassword = SSHA hashed password

There is this error LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: Attempt to lookup non-existant entry when I connect this entry through uid=lawrence,ou=engineering,dc=example,dc=com. But it is working fine if I'm using this cn=Lawrence K.H Loh+o=IKEA+sn=Loh+uid=lawrence+displayName=Lawrence,ou=engineering,dc=example,dc=com. May I know how can I switch to uid=lawrence instead of the long name for authentication?

Answer 1

With that particular object, it's unlikely that you can. LDAP is looking for you to bind with the distinguished name (DN) of the object, and the primary attribute in this case is cn. This is a deliberate design decision because there is no guarantee that any given attribute of objects within a container will be unique other than the one that is associated with their DN.

This will not stop services from being able to search your directory and determine that uid=lawrence is associated with that particular DN (and thus being able to find any other attributes needed off of that object), but any calls that explicitly need to be run against a DN can only be run against the primary attribute.

This isn't to say that there aren't ways that you can avoid specifying a DN. Implementing SASL authentication and defining a map between SASL IDs and DNs comes to mind. But within the context of your question, no, you cannot switch to using a non-primary attribute of the DN you're authenticating to in place of the DN.