[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access



ud implem
At 02:22 PM 1/21/00 -0500, squeegy+ldap@squeegy.org wrote:
>I try to  connect with ud with my access set to the below I get :
>
>* bind Chiodi
>  Authenticating to the directory as "JT Chiodi"...
>  Enter your LDAP password:
>  Enter your LDAP password:
>  Authentication successful.
>
>access to dn=".*,ou=Roaming,dc=amsite,dc=com" by dnattr=owner write
>access to attr=userpassword
>        by self write
>        by * none
>access to attr=uid,ou,sn,givenname,objectclass
>        by self read
>        by * search
>
>access to dn=".*,dc=amsite,dc=com"
>        by dn=".*,dc=amsite,dc=com" read
>        by * read
>
>And I can bind.  note the last line above.  If I change that from
>by * read to by * none and try to bind in ud  I get the following:
>
>* bind Chiodi
>  I could not find "Chiodi" in the Directory.
>  I used a search base of amsite, com
>
>Of course with by * read set I can browse my ldap directory without
>authenticating.

UD searches the directory for the entry associated with the
user name you enter and then attempts to bind to that entry.
If it cannot find that entry (due to ACL or other reasons),
it cannot preform the bind.  This is a so-called "smart bind"
(a number of other clients behave similiarly) and requires
that you allow anonymous searches (appropriate for the
assertions made by the client) AND allow anonymous reads
of the entries' "entry" which you'd like to authenticate
as.  You do not have to allow read of any attribute.

access to attr=entry
	by * read	# allow anon read of DNs
	by self write
	by dn=".+" read

access to attr=cn,givenName,sn,uid
	by dn="" search	# allow anon search
	by self write
	by dn=".+" read

access to attr=userpassword
	by self write
	by * none		# deny non-self including anon

access to *
	by self write
	by dn=".+" read
	by * none		# deny anon access


Personally, I disallow "smart" bind...