[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Slave/Replica server authentication/authorization question
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
|> ~From my understanding the following rules should allow for users
|> to authenticate as themselves or anonymously:
|>
|> access to attrs=userPassword ~ by self write ~ by anonymous
|> auth
|>
|> and the following allows anonymous queries of the database:
|>
|> access to * ~ by * read
|
|
| I think you misunderstand what "auth" means. I think you need
| "compare" for your anonymous line at a minimum, otherwise there is
| no access to the userpassword entry that the incoming connection
| can use to determine if the password supplied is correct or not.
|
| Please see:
|
| <http://www.openldap.org/doc/admin22/slapdconfig.html#Access%20Control>
|
|
|
So I checked out the link you provided, and found this:
~ access to attr=userPassword
~ by self write
~ by anonymous auth
~ by dn.base="cn=Admin,dc=example,dc=com" write
~ by * none
Which with the exception of the dn.base and by * none is exactly what
I currently have in my replica's slapd.conf. So, according to all the
information I've found the syntax is correct. The problem does get
wierder though, when I enter an ACL then my Linux boxes can nothing
works. If I remove all ACL's the Linux baxes authenticate fine but I
can't bind with the ldapserch -x -D ... -W .
Quite strange. All db files are in /var/lib/ldap and are owned by
user and group ldap which is who slapd runs as. Very interesting...
- --
Aaron M. Hirsch
Atos Origin - Cellnet
11146 Thompson Ave.
Lenexa, KS 66219
Work:(913) 312-4717
Fax:(913) 312-4701
Mobile:(913) 284-9094
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFAPkktgBD+XyMGAPwRAgMsAJ956Oqin2ZErQENeRqIouRw0RgsBACfRHDR
Ot23lQ7KK4boMZ4q1U2mgJo=
=uyft
-----END PGP SIGNATURE-----