[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: MacOS X logins very, very slow or failing with Openldap 2.1.23...





--On Tuesday, November 25, 2003 4:48 PM -0500 Everette Gray Allen <Everette_Allen@ncsu.edu> wrote:

So do you restrict users so they can only read their own data?

We are trying to do this using:
access to *
         by self read
         by anonymous auth

access to dn.regex="uid=(.*),ou=people,dc=ncsu,dc=edu"
         by dn.regex="$1" read
         by anonymous auth
and saslauthd for simple binds.

it works if I code the dn and password in directory setup but I can not
see another way to do it.

Well, there are two different things here:

1) OS X logins - For this, we expose posixAccount attributes via anonymous bind to a specific range of IP addresses. Note that since we are using K5 for our authentication, there is no need for them to query any password attributes from the directory system.

2) User authentication once they are logged in: Users can see any information available to the 'stanford visible' subset of information at Stanford University via SASL/GSSAPI binds. We do not allow users to modify or change directory data directly, they must use a web-based frontend utility to make those types of changes.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html