[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Binding Problem Revisited
At 04:02 PM 8/2/99 -0400, Joe Novielli wrote:
>Now, I've tried it with perLDAP example script (see:
>http://www.mozilla.org/directory/faq/perldap-faq.html#_ldap_10), but it
>doesn't want to BIND with the username jnoviell (except if I replace my
>ACL's "by * none" with "by * read") which then let's everyone read.
In looking at this perl code, it appears that to be doing
an anonymous SEARCH for attributes (uid,cn,mail) to find a
DN for the actual BIND. If none of these SEARCH operations
returns an entry, the code fails without actually attempting
a BIND. If you desire to allow such anonymous searching for BIND
target, your ACLs must permit such. That is your ACLs must allow
anonymous SEARCH operations for one or more of these attributes
AND anonymous read access to the entry's "entry" attribute to
which you want to authenticate as.
# allow anonymous search of uid and cn
access to * attribute=uid,cn
by self write
by * search
# allow anonymous read of "entry" attributes
access to * attribute=entry
by self write
by * read
# disallow anonymous access to everything else
access to *
by self write
by * none
You can, of course, limit what clause to just those attributes/entries
that you want to allow as authentication targets.
# allow anonymous search of uid and cn to persons directly under
# ou=people,dc=foo,dc=com who's dn start with cn= or ou= and
# only contain alphanumeric characters.
access to dn="^(cn|uid)=[:alnum:],ou=people,dc=foo,dc=com$"
filter="(objectclass=person)" attribute=uid,cn
by self write
by * search
# allow anonymous read of "entry" attributes to same
access to dn="^(cn|uid)=[:alnum:],ou=people,dc=foo,dc=com$"
filter="(objectclass=person)" attribute=entry
by self write
by * read
# disallow anonymous access to everything else
access to *
by self write
by * none