[Date Prev][Date Next] [Chronological] [Thread] [Top]

Trying to understand how authentication works



Hi folks,

I'm trying to understand how the access control mechanisms in openldap
work, and, I admit, I'm confused.  Trawling the mailing list archives
didn't help any, and the FAQ left me more confused.

I'm looking at

    http://www.openldap.org/doc/admin/slapdconfig.html

section 5.3 (Access Control) at the moment, and some things I don't
follow.

There's a table in section 5.3.2, "Access Entity Specifiers"

       +---------------------------------------------------------------+
       | Specifier  | Entities                                         |
       |------------+--------------------------------------------------|
       | *          | All, including anonymous and authenticated users |
       |------------+--------------------------------------------------|
       | anonymous  | Anonymous (non-authenticated) users              |
       |------------+--------------------------------------------------|
       | users      | Authenticated users                              |
       |------------+--------------------------------------------------|
       | self       | User associated with target entry                |
       |------------+--------------------------------------------------|
       | dn=<regex> | Users matching regular expression                |
       +---------------------------------------------------------------+

"*" and "anonymous" I understand.

"users" doesn't make sense.  It says "Authenticated users", but I can't
see anywhere in the documentation where it explains how a user is
supposed to authenticate themselves.

"self" doesn't make sense either.  How is a 'user' associated with a
'target entry'?

The specific situation I'm trying to create is one where I have a
directory structure that's like this:

 o dc=example,dc=com
 |
 +--o cn=Manager,dc=example,dc=com
 |
 +--o ou=users,dc=example,dc=com
    |
    +--o uid=nik,ou=users,dc=example,dc=com
    |  +- userPassword: foo
    |  +- homeDirectory: /home/nik
    |  +- ...
    |
    +--o uid=mark,ou=users,dc=example,dc=com
    |  +- userPassword: bar
    |  +- homeDirectory: /home/mark
    |  +- ...
    :
    :

such that people can browse the directory, using their uid and password
(which should be encrypted in the directory).

Any pointers gratefully received.  I'll cheerfully write up my
experiences for the FAQ.

N
-- 
FreeBSD: The Power to Serve             http://www.freebsd.org/
FreeBSD Documentation Project           http://www.freebsd.org/docproj/

          --- 15B8 3FFC DDB4 34B0 AA5F  94B7 93A8 0764 2C37 E375 ---

Attachment: pgpgek2rFlNAU.pgp
Description: PGP signature