[Date Prev][Date Next] [Chronological] [Thread] [Top]

[staff@kern.nl: [staff] Re: Using OpenLDAP with authentication in email clients, please help]

To: openldap-software@OpenLDAP.org
Subject: [staff@kern.nl: [staff] Re: Using OpenLDAP with authentication in email clients, please help]
From: Wim Fournier <wim-openldap-software@geeks.nl>
Date: Tue, 26 Jun 2001 16:42:31 +0200
Cc: staff@kern.nl
Content-disposition: inline
User-agent: Mutt/1.3.15i

Hello,

The problem is probably that your ACL is not configured properly. Your
bind ACL is configured as follows:

access to *
  by self write
  by dn=".+" read
  by dn="^$$" compare
  by * none

When you try to bind to the LDAP database, it tries to match an access
to line with the binddn (cn=user,o=root by example). These access to
lines contain a 'what' clausule in the form of a regular
expresssion. After finding a matching access to clausule, it parses the
'by' clausules belonging to this access to clausule to find a matching 'who' clausule
(also regex). When found, the access rule belonging to this 'by' clausule
is used.

The first match for this binddn will be 'access to *' in this config. The
only 'who' that matches is * in this case, because
authentication/authorization is done anonymously. As you can see, the
matching access rule will be 'none' so the bind fails.

The reaseon Netscape _does_ succesfully bind, could be because it's
'ldap-aware'. I think it does bind with the binddn directly, without
binding anonymously first.

If you replace the line 
  by * none
with
  by anonymous auth 
this problem should be solved. This way everyone can do an anonymous bind,
however they have no other rights till they bind as a user in your LDAP tree.

btw: the 'by * none' is not needed in this case, because the
'defaultaccess none' takes care of this.

The by 'dn=".+" read' should be replaced with 'by users read', at least I
think that is what you want with it...

_Do_ see also:
http://www.openldap.org/doc/admin/slapdconfig.html#Access Control

------------------------------------------------------------------

Kern Automatiseringsdiensten BV (http://www.kern.nl)
Kruislaan 419 1098 VA Amsterdam
t. 020 - 8884580 t. 020 - 6939869 f. 020 - 8884501

On Tue, 26 Jun 2001, Stan P. van de Burgt wrote:

> Hi Guys,
> 
> I really search everywhere on the OpenLDAP site, on other LDAP related sites
> and on the Internet, but can't solve it myself:
> 
> We would like to use OpenLDAP for directory services in our company. This
> server should be accessible to employees of our company, but no-one else.
> 
> The directory should be accessible on the road, from offices in other
> countries, ..., to people that are in the directory only.
> 
> I installed OpenLDAP and populated it with our directory information. When
> no ACL is present in the slapd.conf file, it works fine with Netscape
> Communicator, Outlook Express, Eudora, ....
> 
> But with ACL present, I barely get Netscape to work (I have to give my email
> address and password for every query, it doesn't remember it), In Eudora
> there's no place to put account/password and Outlook fails to login and
> reverts to anonymous lookup which (obviously) returns 0 matches.
> 
> With ldapsearch from remote machines and with LDAP clients like Ldapper, it
> works fine.
> 
> So please: If you have a recipe for using Outlook (Eudora and Netscape are
> more than welcome too!) with OpenLDAP restricted to people in the directory
> only, please share it with me.
> 
> My slapd.conf is below.
> 
> Thanks!
> 
> - Stan
> 
> --
> 
> #
> # See slapd.conf(5) for details on configuration options.
> # This file should NOT be world readable.
> #
> include         /etc/openldap/slapd.at.conf
> include         /etc/openldap/slapd.oc.conf
> schemacheck     off
> #referral       ldap://root.openldap.org/
> 
> pidfile         /var/run/slapd.pid
> argsfile        /var/run/slapd.args
> #loglevel 488
> 
> #######################################################################
> # ldbm database definitions
> #######################################################################
> 
> database        ldbm
> suffix          "dc=Company, dc=com"
> rootdn          "cn=xxx, dc=Company, dc=com"
> rootpw          xxx
> # cleartext passwords, especially for the rootdn, should
> # be avoid.  See slapd.conf(5) for details.
> directory       /var/lib/ldap
> 
> lastmod on 
> sizelimit 50
> defaultaccess none
> 
> # anonymous may compare (to bind using Netscape)
> access to attr=mail
>   by self read
>   by dn=".+" read
>   by * search
> 
> access to attr=userPassword
>   by self write
>   by dn="^$$" compare
>   by * none
> 
> access to attr=entry
>   by * read
> 
> access to *
>   by self write
>   by dn=".+" read
>   by dn="^$$" compare
>   by * none
>

Follow-Ups:
- Re: [staff@kern.nl: [staff] Re: Using OpenLDAP with authentication in email clients, please help]
  - From: "Stan P. van de Burgt" <stan@q-go.com>

Prev by Date: Re: Help ACL
Next by Date: partial replication errors
Index(es):
- Chronological
- Thread