[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access



Could someone help me with this?

I have the following in my slapd.conf  The below part is in regards
to roaming profiles in Netscape.  It works great.  A user gives
password and has access to his roaming profile.

access to dn=".*,ou=Roaming,dc=amsite,dc=com" by dnattr=owner write
access to attr=userpassword
        by self write
        by * none

The below section is to restrict access to the directory to those in
the Employee group.  this part doesn't work.  I have read the slapd
and slurpd admins manual.  

access to dn=".*,dc=amsite,dc=com"
        by dn=".*,ou=Employee,dc=amsite,dc=com" read
        by * none

I am trying to access the directory via netscape's address book.  i
can search fine if I have access set to by * read

What do I have wrong?

> I am trying password protect my ldap directory.  With no access lines
> in the slapd.conf, I am able to search fine, anonymously.
> 
> I have the following in my slapd.conf
> 
> defaultaccess none
> access to *
>         by dn=".+, dc=amsite, dc=com" read
> 
> I have populated the database with the field userPassword.  
> I am trying to log in to the database.  I tried 
> ldapsearch -D "cn=User, dc=mydomain dc=com" -b "dc=mydomain, dc=com" -W
> I got the following error:
> 
> ldap_bind: Inappropriate authentication
> 
> also I tried:
> 
> ldapsearch -D "cn=User" -b "dc=mydomain, dc=com" -W
> and the error:
> 
> ldap_bind: Invalid credentials
> 
> I am trying also to connect to the directory with Netscape.  Netscape
> wants email address and password.  does the email address have to be
> part of the dn?
> 
> > squeegy+ldap@squeegy.org wrote:
> > > 
> > > Hi,
> > > 
> > > I have restricted access to my ldap server, now how do authenticate?
> > > does LDAP hit the /etc/passwd file authentication?  So far i have
> > 
> > No. LDAP uses its own authentication to control access. The access is
> > based upon Access Control Lists.
> > 
> > For the simplest possible setup, keep the rootpw in slapd.conf the
> > default "secret".
> > 
> > Then bind to the directory as the manager (whatever you made the rootdn
> > entry).
> > 
> > Then try to modify an entry from ud:
> > 
> > * cb o=Williams Communications, c=US
> > 
> > * bind Manager
> >   Authenticating to the directory as "Manager"...
> >   Enter your LDAP password: *********
> >   Authentication successful.
> > 
> > * vedit David
> > 
> > ...
> > 
> > It should work for you.
> > 
> > As far as making the driectory editable by users try this: (Warning I
> > don't really know how (in)secure this is in your slapd.conf:
> > 
> > defaultaccess read
> > access to * by self write
> >             by dn="cn=Manager, ou=SAM, o=Concentric Network, c=US" write
> > 
> > These should be the last line in your slapd.conf (or before a second
> > database definition...
> > 
> > If you need more help with ACL's check the documentation (SLAPD/SLURPD
> > Admin guid) there are some examples in there.
> > 
> > Hope that helps...
> > 
> > David
> > 
> > > seen
> > > unable to access my ldap server since restricting it.  Thanks for the
> > > help.
> > > 
> > > > squeegy+ldap@squeegy.org schrieb:
> > > > >
> > > > > Hi,
> > > > >
> > > > > Thanks to the help I have gotten here, I have
> > > > > built my directory.  I want this directory to be used only by
> > > > > those inside the company.  How do I password protect the
> > > directory
> > > > > and disable anonymous searches?
> > > 
> > > ___________________
> > > 
> > > Jt "The Squeegy" Chiodi
> > > 
> > > http://www.squeegy.org/
> > > squeegy@squeegy.org
> > 
> 
> 
> 
> ___________________
> 
> Jt "The Squeegy" Chiodi
> 
> http://www.squeegy.org/
> squeegy@squeegy.org
> 
> 



___________________

Jt "The Squeegy" Chiodi

http://www.squeegy.org/
squeegy@squeegy.org