[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: access
Oops, disregard my last message. I didn't scroll down. thanks for
the info. I will try it out.
> ud implem
> At 02:22 PM 1/21/00 -0500, squeegy+ldap@squeegy.org wrote:
> >I try to connect with ud with my access set to the below I get :
> >
> >* bind Chiodi
> > Authenticating to the directory as "JT Chiodi"...
> > Enter your LDAP password:
> > Enter your LDAP password:
> > Authentication successful.
> >
> >access to dn=".*,ou=Roaming,dc=amsite,dc=com" by dnattr=owner write
> >access to attr=userpassword
> > by self write
> > by * none
> >access to attr=uid,ou,sn,givenname,objectclass
> > by self read
> > by * search
> >
> >access to dn=".*,dc=amsite,dc=com"
> > by dn=".*,dc=amsite,dc=com" read
> > by * read
> >
> >And I can bind. note the last line above. If I change that from
> >by * read to by * none and try to bind in ud I get the following:
> >
> >* bind Chiodi
> > I could not find "Chiodi" in the Directory.
> > I used a search base of amsite, com
> >
> >Of course with by * read set I can browse my ldap directory without
> >authenticating.
>
> UD searches the directory for the entry associated with the
> user name you enter and then attempts to bind to that entry.
> If it cannot find that entry (due to ACL or other reasons),
> it cannot preform the bind. This is a so-called "smart bind"
> (a number of other clients behave similiarly) and requires
> that you allow anonymous searches (appropriate for the
> assertions made by the client) AND allow anonymous reads
> of the entries' "entry" which you'd like to authenticate
> as. You do not have to allow read of any attribute.
>
> access to attr=entry
> by * read # allow anon read of DNs
> by self write
> by dn=".+" read
>
> access to attr=cn,givenName,sn,uid
> by dn="" search # allow anon search
> by self write
> by dn=".+" read
>
> access to attr=userpassword
> by self write
> by * none # deny non-self including anon
>
> access to *
> by self write
> by dn=".+" read
> by * none # deny anon access
>
>
> Personally, I disallow "smart" bind...
>
___________________
Jt "The Squeegy" Chiodi
http://www.squeegy.org/
squeegy@squeegy.org
- References:
- Re: access
- From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>