[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Trying to figure out access policies




On 27-Jun-06, at 2:01 PM, Kurt D. Zeilenga wrote:

At 09:38 AM 6/27/2006, Jason Lixfeld wrote:
I think I'm somewhat versed in the basics of OpenLDAP, but the
concept of access policies eludes me because they are far beyond my
current level of comprehension.  That being said, I'm doing some
trial by fire to try to make sense of how they work and hopefully
will then be able to relate some of what I read in the manual to what
I've made happen in tests...

I'm trying to get a proxyuser working so I don't have to do
everything as Manager.

I put this entry into my slapd.conf as per some tutorials I read:

access to attrs=userPassword
      by dn="cn=Proxyuser,dc=example,dc=ca" read

and likewise, these entries into my ldap.conf:

binddn cn=Proxyuser,dc=example,dc=ca
bindpw ****
rootbinddn cn=Proxyuser,dc=example,dc=ca

and finally, the Proxyuser password in /etc/ldap.secret.

bindpw and rootbinddn are not OpenLDAP configuration directives. binddn is, but its not relevant here as you used the -D flag (or were specifying an anonymous bind). I also do not see the relevance of a ldap.secret given you didn't tell ldapsearch(1) to use a password file (via the -y flag).

Ok, this all makes much more sense now, thank you, Kurt. Nowhere in the examples I found did it make reference to using a -y flag with the ldap.secret file so I was very unclear on this, thinking the "proxyuser" was some sort of special case user. I see now how this all correlates.


Also, I'm a little confused about the difference between binddn and
rootbinddn.

Well, given that rootbinddn is not a OpenLDAP ldap.conf(5) directive, it's ignored. As was bindpw. In your use of ldapsearch(1), binddn directive was ignored because either you provided a binddn or were specifying an anonymous bind (e.g., no password).

Note that discussion regarding the difference of directives in
non-OpenLDAP software packages (such as PAM/LDAP and NSS/LDAP)
is off-topic here.

I didn't even clue into the fact that the ldap.conf file I was using had parts in there for nss/ldap. I apologize for going off-topic.


- Kurt