[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access auth granularity?



On 09.05.2016 13:31, Hallvard Breien Furuseth wrote:
On 09. mai 2016 09:00, Dora Paula wrote:
Dear List,

I've two subtrees that contain user-accounts:
ou=usersA,dc=example,dc=com and ou=usersB,dc=example,dc=com.

Goal: Users below ou=userA,... should only be allowed to bind using
sasl_bind, but not with simple_bind. Whereas users below ou=usersB,...
should
be allowed to bind using both (or any kind of bind).

Simple Bind uses anonymous auth (=x) access to userPassword.
Does your SASL setup use userPassword?  If not, or if userPassword
for SASL look like {foo}something but other passwords do not,
use can use something like

olcAccess: to attrs=userPassword dn.children="ou=usersB,..."
   by anonymous =x
   by self =w
# just reject passwords outside usersB.  If you need something else,
# may add val.regex=^[{]SASL[}] or whatever, see man slapd.access(5)
olcAccess: to attrs=userPassword by * none



Oh ha, this sound very promissing! I'll give it a try.

Just one quick question: How can I tell slapd to use a customUserPassword-attribute instead of the hard coded userPassword - to avoid the somewhat performance hungry "val.regexp=" check?

Thank you very much!