[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: problems using ldapsearch and authentication with 2.0



Replies below:

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Joseph Hoot
> Sent: Monday, September 25, 2000 10:37 AM
> To: kelli@inlet.com; openldap-software@OpenLDAP.org
> Subject: RE: problems using ldapsearch and authentication with 2.0
>
>
> Here are some concerns that I have with this.. (comments listed within the
> reply)
>
> Kelli Wolfe <kelli@inlet.com> said:
>
> > Hi!
> >
> > Did Hugo suggestion work?  Here's what I had to do, but Hugo's is
> > a little more elegant.
> >
> > # Deny all that is not specifically allowed
> > defaultaccess none
> >
> > # The manager and the user can change the user's password
> > access to attr=userpassword
> >  by self write
> >  by dn="cn=Manager, dc=mcld, dc=net" write
> >  by * search
>
> This is fine except the search.  I am encrypting my passwords,
> but does search
> allow users to see the encrypted password?
>
Search does not return the fields for viewing, Read does.  That's why
I'm not happy with the stanza below, I don't really want those
fields readable, but that seemed to be the only way to make
anonymous authentication work.
>
>
> > # The manager and the user can change the user's
> > # allowed machine access
> > #   these are needed to allow the client's to authenticate
> > #    with anonymous binding  (I wish they didn't have to be "read")
> > access to
> >
> attr=objectclass,uid,host,uidnumber,gidnumber,homedirectory,logins
> hell,gecos
> > ,description
> >  by dn="cn=Manager, dc=mcld, dc=net" write
> >  by * read
>
>
> ok.  So, what I currently have, listed below this paragraph, will
> not work for
> host authentication?  I must use something like this example in order to
> authenticate?
>
> access to *
>      by anonymous auth
>      by self write
>      by * read
>
I wasn't able to get this to work for me.
>
> > # Entry = dn and is needed to access the entries at all
> > access to attr=entry
> >  by * read
>
> This doesn't really concern me right?  its simply a reference to
> an Entry dn
> in your ldbm.
>
When I was looking into the LDAP logs, it didn't appear that it
could retrieve the DN information without this entry.  I believe
this is giving the searcher base access to the entries themselves.
Someone please correct me if I'm wrong on any of this.
>
> > # Specifically allow the fields that we want the world to see
> > access to attr=mail,entry,cn,sn,o,ou
> >  by * read
> >
> > Kelli
> >
> >
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of
> > Hugo.van.der.Kooij@caiw.nl
> > Sent: Saturday, September 23, 2000 2:04 PM
> > To: Joseph Hoot
> > Cc: openldap-software@OpenLDAP.org
> > Subject: Re: problems using ldapsearch with 2.0
> >
> >
> > On Sat, 23 Sep 2000, Joseph Hoot wrote:
> >
> > > Ok.  That was correct.  I didn't have the rights.  When I used -D
> > > cn=manager,dc=nowcom,dc=com -W and entered a password, it
> came back with
> > the
> > > correct information.  What do you suppose is the best way to
> allow hosts
> > to
> > > contact the ldap server so that users can authenticate against it?
> >
> > Most examples include info for authentication. But authentication only
> > does not allow you to search.
> >
> > Like:
> >
> > access to *
> >         by self write
> >         by anonymous auth
> >
> > Hugo.
> >
> > --
> > Hugo van der Kooij; Oranje Nassaustraat 16; 3155 VJ  Maasland
> > hvdkooij@caiw.nl	http://home.kabelfoon.nl/~hvdkooij/
> > --------------------------------------------------------------
> > Quoting this tagline is illegal! (http://www.dtcc.edu/cs/rfc1855.html)
> >
>
>
>
> --
> Joseph Hoot
> System Administrator
> http://www.networkpenguin.com
> joe@networkpenguin.com
>
>
>