[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP and authentication

To: Matthijs <matthijs@cacholong.nl>
Subject: Re: LDAP and authentication
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Sun, 08 Feb 2004 15:41:26 -0800
Cc: openldap-software@OpenLDAP.org
Content-disposition: inline
In-reply-to: <1076277851.2642.11.camel@monster.cacholong.nl>
References: <1076271286.2017.9.camel@monster.cacholong.nl> <412692670.1076247489@cadabra-dsl.stanford.edu> <1076277851.2642.11.camel@monster.cacholong.nl>

--On Sunday, February 08, 2004 11:04 PM +0100 Matthijs <matthijs@cacholong.nl> wrote:

sasl-regexp uid=(.*),cn=stanford.edu,cn=gssapi,cn=auth
ldaps:///uid=$1,cn=Accounts,dc=stanford,dc=edu

You would like to say this: changing my acl's to:

access to attribute=userPassword
        by dn="dc=cacholong,dc=nl" write
        by dn="uid=ldapadm,cn=cacholong.nl,cn=auth" write
        by anonymous auth
        by self write
        by * none
access to *
        by dn="dc=cacholong,dc=nl" write
        by dn="uid=ldapadm,cn=cacholong.nl,cn=auth" write
        by * read

You say with sasl-regexp, i've never used that configuration option so i
have to carefully read what it does.

It looks like you actually don't have to change much, and you have misread what I've said.

What you want is something like:

sasl-regexp=uid=(.*),cn=cacholong.nl,cn=gssapi,cn=auth ldap://uid=$1,dc=cacholong,dc=nl

That should map this:

uid=ldapadm,cn=cacholong.nl,cn=gssapi,cn=auth

to

uid=ldapadm,dc=cacholong,dc=nl

Then you can use this ACL:

access to attribute=userPassword
       by dn="dc=cacholong,dc=nl" write
       by dn="uid=ldapadm,dc=cacholong,dc=nl" write
       by anonymous auth
       by self write
       by * none
access to *
       by dn="dc=cacholong,dc=nl" write
       by dn="uid=ldapadm,dc=cacholong,dc=nl" write
       by * read


--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

---------------------------------------------------------------------------- OPINIONS EXPRESSED BY ME ARE NOT NECESSARILY SHARED BY MY EMPLOYER ---------------------------------------------------------------------------- "Why of course the people don't want war. . . . That is understood. But, after all, it is the leaders of the country who determine the policy and it is always a simple matter to drag the people along, whether it is a democracy, or a fascist dictatorship, or a parliament, or a communist dictatorship. Voice or no voice, the people can always be brought to the bidding of the leaders. That is easy. All you have to do is tell them they are being attacked, and denounce the peacemakers for lack of patriotism and exposing the country to danger. It works the same in any country." --Hermann Goering, Nazi officer, during his Nuremberg war crimes trial

Follow-Ups:
- Re: LDAP and authentication
  - From: Matthijs <matthijs@cacholong.nl>

References:
- LDAP and authentication
  - From: Matthijs <matthijs@cacholong.nl>
- Re: LDAP and authentication
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: LDAP and authentication
  - From: Matthijs <matthijs@cacholong.nl>

Prev by Date: Re: LDAP and authentication
Next by Date: Re: LDAP and authentication
Index(es):
- Chronological
- Thread