[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Bind dn connection



Yes, actualy thats exactly what I intended to do. I
tried implementing the acls and the way you had
suggested, but some how I am not able to work that
out. I am not able to authenticate the users
individually for my particular service.So I have
implemented simple bind for now as per Kurt's
suggestion for one service. Once it works, I will
implement for other services too. (I am new to
Openldap so my implemntation is going on slow.)
Currently to reach my first milestone, I need to be
able to bind to the server based on just one attribute
in the Dn.
For ex:
ldapsearch -x -D "cn=Manager" -w password... and so
on.
I was under the impression I need to specify complete
Dn everytime for the -D option, but the requirements
given to me contain just one attribute.
Is there a way to append the base dn by default, so
then we can specify just the attribute while binding
to the server?

Thanks in advance for the help.

Prachi.


--- TechnoSophos <technosophos@gmail.com> wrote:

> For our directory, I use a separate DN for binding.
> That way, we don't
> have to allow anonymous binding, but we also don't
> have to use some
> priv'ed account.
> 
> Here is the basic idea:
> 
> We have a user in the directory:
> "cn=Auth,dc=comany,dc=com", and we
> give that user permissions (via ACLs) to
> authenticate other users.
> 
> access to attr=userPassword
>   by .... (the usual lines)
>   by dn="cn=Auth,dc=company,dc=com" auth
>   by * none
> 
> And I use a similar ACL for attributes that Auth may
> need to search
> for (cn, uid, etc). These attributes, though, need
> read permissions
> (not just auth).
> 
> Then we can deny Auth from just about everything
> else.
> 
> Now, applications can bind as Auth, do searches for
> the correct DN,
> and then re-bind as that user.
> 
> You'll have to tailor ACLs to your liking, but I
> think this is the
> sort of thing you have in mind, right?
> 
> (Reading on, I see that Kurt suggests the
> possibility of doing a
> simple bind, where you bind directly as the DN that
> you want to use.
> In that case, there is no searching/re-binding step.
> That's another
> option, too -- maybe a faster one.)
> 
> 
> On 6/14/06, Prachi Sonalkar
> <prachisonalkar@yahoo.com> wrote:
> > Hi kurt,
> > Thanks for the reply, and suggestions.
> >
> > Following up on the same issue, is it possible
> that I
> > can have more than one bind dns configured?
> > Currently in slapd.conf, I have my rootdn as
> > "cn=Manager, dc=company, dc=com".
> > Can I add another dn that can be used for
> > authentication? ex: cn=service1,dc=company,dc=com.
> > The idea was that for each service if I have a
> bind
> > dn, that way users for that service identity can
> > authenticate based on the service bind dn. I am
> adding
> > a service name attribute to each user entry.
> > On the clients end, I am just using simple LDAP
> > queries to get data from the server,no updations
> > required.
> >
> > Thanking you in advance,
> > Prachi Sonalkar.
> >
> > --- "Kurt D. Zeilenga" <Kurt@OpenLDAP.org> wrote:
> >
> > > At 02:28 PM 6/12/2006, Prachi Sonalkar wrote:
> > > >Hi all,
> > > >I am currently setting up LDAP server user
> > > Openldap,
> > > >and I need to specify few bind dns, specific to
> > > >various sevice applications in the
> organization.
> > > >I need to also set up a limit on number of bind
> dn
> > > >connections,
> > >
> > > I assume you want to limit the number of
> connections
> > > a particular authentication identity (or, maybe,
> > > authorization identity) may have open to a
> > > particular
> > > server.  At present, no such mechanism exists.
> > >
> > > >which I am not aware how to do (I tried
> > > >to dig in through the Openldap FAQs)
> > > >I tried to configure ldap.conf with bind dn and
> > > bindpw
> > > >values as follows:
> > > >domain  company.com
> > > >server  company.com:389
> > > >BASE    dc=company,dc=com
> > > >binddn  "cn=service1,dc=company,dc=com"
> > > >bindpw  password
> > >
> > > domain, server, and bindpw are not valid
> OpenLDAP
> > > ldap.conf(5) directives.  See ldap.conf(5) for
> > > details.
> > >
> > > Anyways, OpenLDAP ldap.conf(5) provides defaults
> for
> > > the LDAP client library.  As it seems to me that
> you
> > > are
> > > looking for some server-side administrative
> control,
> > > I
> > > do not see how this file could be relevant.
> > >
> > > >but the specified bind dn and password are not
> > > >accepted to establish a bind to the LDAP
> server.
> > >
> > > Given the above, that's not surprising.
> > >
> > > >The idea is to enable authorized services
> establish
> > > a
> > > >persistent bind connection with the LDAP
> server;
> > >
> > > Seems like you seek information about a
> particular
> > > directory application/client.  If so, you should
> > > do so on a list about that application/client.
> > >
> > > >and
> > > >also limit the number of such bind connections
> at
> > > LDAP
> > > >end.
> > >
> > > Regarding server limits, see above note.
> > >
> > > >Has someone tried this, and can suggest me what
> is
> > > >going wrong?
> > > >
> > > >Any help will be appreciated!
> > > >
> > > >Thanks,
> > > >PS.
> > > >
> > > >
> > > >
> > >
> >__________________________________________________
> > > >Do You Yahoo!?
> > > >Tired of spam?  Yahoo! Mail has the best spam
> > > protection around
> > > >http://mail.yahoo.com
> > >
> > >
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam?  Yahoo! Mail has the best spam
> protection around
> > http://mail.yahoo.com
> >
> 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com