[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: i have no name!



tor, 2003-02-13 kl. 14:35 skrev John Dalbec:

> > access to dn="" by * read
> > access to *
> >         by self write
> >         by users read
> >         by anonymous auth
> > 
> > That seems like it would be hard for a user to NOT have access to
> > something.  

> Actually ordinary users access the directory anonymously.

A "user" is not a "user" until he has authenticated with a DN and a
password. He will not then be anonymous any longer.

> Otherwise the 
> system would have to repeatedly ask you to enter your password in order 
> to bind as you.

For each separate bind as an authenticated user, a valid DN and the
associated password are required. For the password to be accessible, an
anonymous authentication is necessary, hence "by anonymous auth." The
system authenticates automatically, if the DN and given password are
correct. After each directory operation, an unbind is issued. For a new
operation a new bind is necessary.

>   Root is an exception because there's only one password 
> that it has to use (in /etc/ldap.secret).

The proxy user, as defined in /etc/ldap.conf, has his password in
/etc/ldap.secret. He is not "root" or shouldn't be. It is not necessary
to have a proxy user to bind as a mortal.

> Try "by anonymous read" in 
> your ACL.

This would defeat the whole concept of security and give the whole world
access to your entire DIT.

> You might want to have a separate "access to 
> attr=userPassword" paragraph so your encrypted passwords are not exposed.

What access exactly? You've just given the world read access to
everything. You will not be able to revoke that access, once given.

Brian's problem would seem (from what he writes) to be due to the fact
that he hasn't defined his DN.

Best,

Tony

-- 

Tony Earnshaw

"Can anyone define 'modern enclitic
mediocrity' in terms of the Euro for me?"
- Billy the (Norwegian-Dutch) Cat, Feb '03

e-post:		tonni@billy.demon.nl
www:		http://www.billy.demon.nl