[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACL to allow resolving uid@domain to a full DN?

To: OpenLDAP-software@OpenLDAP.org
Subject: ACL to allow resolving uid@domain to a full DN?
From: Dan Lowe <dan@tangledhelix.com>
Date: Thu, 27 Jun 2002 17:55:26 -0400
Content-disposition: inline
User-agent: Mutt/1.3.27i

I'm attempting to create an address book system, but I don't want to allow
full anonymous read access.  With certain clients I can just put a DN
string and password in the client config, such as:

    Username: uid=dan@tangledhelix.com,ou=addressbook,o=MyOrg
    Password: something

And they authenticate and can view entries without trouble.  Anonymous
reads are disabled, as there are those concerned about spammer harvesting.
I'm not sure I buy into that being a real threat, but it's something I have
to try to work around.

However, some clients (such as Netscape Communicator 4.x) take a
user@domain style username...

    Username: dan@tangledhelix.com
    Password: something

It then binds anonymously to turn that uid into a full DN, which it then
uses to bind and search.  However, since I can't turn on anonymous reads
this isn't working for me at all.  I've tried a number of things, but
nothing appears to work.  I've read over the documentation numerous times
so I've RTFM already.

Anyone had to tackle this before, or can supply a working ACL?  I've been
racking my brains against this for two days without any success...

TIA,
 -dan

-- 
Our doubts are traitors
And make us lose the good we might oft win,
By fearing to attempt.
			-William Shakespeare, "Measure for Measure"

Follow-Ups:
- Re: ACL to allow resolving uid@domain to a full DN?
  - From: Pierangelo Masarati <masarati@aero.polimi.it>

Prev by Date: How to store whole text files
Next by Date: Cosine schema and multiple ARecords
Index(es):
- Chronological
- Thread