[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: problems using ldapsearch and authentication with 2.0



Here are some concerns that I have with this.. (comments listed within the
reply)

Kelli Wolfe <kelli@inlet.com> said:

> Hi!
> 
> Did Hugo suggestion work?  Here's what I had to do, but Hugo's is
> a little more elegant.
> 
> # Deny all that is not specifically allowed
> defaultaccess none
> 
> # The manager and the user can change the user's password
> access to attr=userpassword
>  by self write
>  by dn="cn=Manager, dc=mcld, dc=net" write
>  by * search

This is fine except the search.  I am encrypting my passwords, but does search
allow users to see the encrypted password?



> # The manager and the user can change the user's
> # allowed machine access
> #   these are needed to allow the client's to authenticate
> #    with anonymous binding  (I wish they didn't have to be "read")
> access to
> attr=objectclass,uid,host,uidnumber,gidnumber,homedirectory,loginshell,gecos
> ,description
>  by dn="cn=Manager, dc=mcld, dc=net" write
>  by * read


ok.  So, what I currently have, listed below this paragraph, will not work for
host authentication?  I must use something like this example in order to
authenticate?

access to *
     by anonymous auth
     by self write
     by * read

 
> # Entry = dn and is needed to access the entries at all
> access to attr=entry
>  by * read

This doesn't really concern me right?  its simply a reference to an Entry dn
in your ldbm.

> # Specifically allow the fields that we want the world to see
> access to attr=mail,entry,cn,sn,o,ou
>  by * read
> 
> Kelli
> 
> 
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
> Hugo.van.der.Kooij@caiw.nl
> Sent: Saturday, September 23, 2000 2:04 PM
> To: Joseph Hoot
> Cc: openldap-software@OpenLDAP.org
> Subject: Re: problems using ldapsearch with 2.0
> 
> 
> On Sat, 23 Sep 2000, Joseph Hoot wrote:
> 
> > Ok.  That was correct.  I didn't have the rights.  When I used -D
> > cn=manager,dc=nowcom,dc=com -W and entered a password, it came back with
> the
> > correct information.  What do you suppose is the best way to allow hosts
> to
> > contact the ldap server so that users can authenticate against it?
> 
> Most examples include info for authentication. But authentication only
> does not allow you to search.
> 
> Like:
> 
> access to *
>         by self write
>         by anonymous auth
> 
> Hugo.
> 
> --
> Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ  Maasland
> hvdkooij@caiw.nl	http://home.kabelfoon.nl/~hvdkooij/
> --------------------------------------------------------------
> Quoting this tagline is illegal! (http://www.dtcc.edu/cs/rfc1855.html)
> 



-- 
Joseph Hoot
System Administrator
http://www.networkpenguin.com
joe@networkpenguin.com