[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: problems using ldapsearch and authentication with 2.0
Here are some concerns that I have with this.. (comments listed within the
reply)
Kelli Wolfe <kelli@inlet.com> said:
> Hi!
>
> Did Hugo suggestion work? Here's what I had to do, but Hugo's is
> a little more elegant.
>
> # Deny all that is not specifically allowed
> defaultaccess none
>
> # The manager and the user can change the user's password
> access to attr=userpassword
> by self write
> by dn="cn=Manager, dc=mcld, dc=net" write
> by * search
This is fine except the search. I am encrypting my passwords, but does search
allow users to see the encrypted password?
> # The manager and the user can change the user's
> # allowed machine access
> # these are needed to allow the client's to authenticate
> # with anonymous binding (I wish they didn't have to be "read")
> access to
> attr=objectclass,uid,host,uidnumber,gidnumber,homedirectory,loginshell,gecos
> ,description
> by dn="cn=Manager, dc=mcld, dc=net" write
> by * read
ok. So, what I currently have, listed below this paragraph, will not work for
host authentication? I must use something like this example in order to
authenticate?
access to *
by anonymous auth
by self write
by * read
> # Entry = dn and is needed to access the entries at all
> access to attr=entry
> by * read
This doesn't really concern me right? its simply a reference to an Entry dn
in your ldbm.
> # Specifically allow the fields that we want the world to see
> access to attr=mail,entry,cn,sn,o,ou
> by * read
>
> Kelli
>
>
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
> Hugo.van.der.Kooij@caiw.nl
> Sent: Saturday, September 23, 2000 2:04 PM
> To: Joseph Hoot
> Cc: openldap-software@OpenLDAP.org
> Subject: Re: problems using ldapsearch with 2.0
>
>
> On Sat, 23 Sep 2000, Joseph Hoot wrote:
>
> > Ok. That was correct. I didn't have the rights. When I used -D
> > cn=manager,dc=nowcom,dc=com -W and entered a password, it came back with
> the
> > correct information. What do you suppose is the best way to allow hosts
> to
> > contact the ldap server so that users can authenticate against it?
>
> Most examples include info for authentication. But authentication only
> does not allow you to search.
>
> Like:
>
> access to *
> by self write
> by anonymous auth
>
> Hugo.
>
> --
> Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ Maasland
> hvdkooij@caiw.nl http://home.kabelfoon.nl/~hvdkooij/
> --------------------------------------------------------------
> Quoting this tagline is illegal! (http://www.dtcc.edu/cs/rfc1855.html)
>
--
Joseph Hoot
System Administrator
http://www.networkpenguin.com
joe@networkpenguin.com