[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL userPassword Problem Re-Visited
On Thursday, 7. March 2002 03:28, Christine Robertson wrote:
> Hi All,
>
> This is a long post; sorry, but I need to show the traces.
> I have now worked out why, although apparently binding
> successfully as the record DN, I could not see the
> userPassword attribute of my posixAccount record.
> Incidentally, this is OpenLDAP 2.0.22 on FreeBSD 4.5.
>
> The problem lies with our setup. We have 7 directories,
> 6 with suffixes of the form dc=au,dc=cordoors,dc=com,
> and a master directory of dc=cordoors,dc=com which
> contains references to the other 6 directories,
> thus enabling us to look up records with the generic
> base of "dc=cordoors,dc=com."
Hi,
to clear things a little up:
With your setup you are chasing referrals with simple bind (providing a bind
dn and a user password). However, the client library is always chasing these
referrals with an anonymously for security reasons (if it was different, I
could insert a referral to my own LDAP server into your directory and all
users would send me their passwords). So you are just doing an anonymous
search. (you can test this fairly easy, just remove the -C parameter from
ldapsearch and you won't chase referrals at all).
If you have made sure that those security considerations do not apply to your
directory (e.g. because only trustwothy administrators are able to write
entrys into your directory) and you are using your own client (not the
command line tools that are coming with OpenLDAP), your client code could
provide a rebind function. That is actually a callback function that does the
rebind to the server when chasing referrals (that means you will have to
store the bind dn and the password in a global variable and access it from
the function). (The API call is ldap_set_rebind_proc).
Another (more secure way) is using SASL authentication. In this case no
cleartext passwords are sent to the server at all and rebinds are not
anonymous. The pitfall of this solution is, that the credentials are not in
the directory, so you have to administer the users in two sources (LDAP and
the underlying SASL mechanism (e.g. sasldb or Kerberos V)).
Yours
Stephan Siano
--
Stephan Siano Mail: Stephan.Siano@suse.de
SuSE Linux AG Phone: 06196 50951 31
CU PS DU South TCC UC Fax: 06196 409607
Mergenthalerallee 45-47
D-65760 Eschborn