[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL query : write by self without passwords ?

To: fulchetr@drink.bt.co.uk
Subject: Re: ACL query : write by self without passwords ?
From: Gerrit Thomson <334647@swin.edu.au>
Date: Sat, 06 May 2000 22:41:28 +1000
Cc: openldap-software@OpenLDAP.org
References: <Pine.LNX.4.21.0005021239020.3618-100000@jupiter.linuxguru.net> <39114EBA.1904B40B@drink.bt.co.uk>

Hi Tim,
   what you need is a "make me" requester service tyhe service can contact to
request the creation of an entry inthe ldap server. This management service would
use a manager authroity to crete the entry for the service and supply credential
information back to the service for later use.
Or you could do it as the microsoft ils services work ( they are ldap servers),
allow anyone to create an object with whatever details they want.
Cheers,
   Gerrit Thosmon.

tim fulcher wrote:

> James Blackwell wrote:
>
> > > processes. I created a new object type which has a couple of attributes,
> > > but I
> > > didn't associated a password attribute with the class. When a processes
> > > starts
> > > up, I want it to lookup its own entry in the directory, and update
> > > attributes
> > > which differ from its current state.
> >
> > For the first question, it would be best to just set a password for each
> > server, and have it know it's own password. I suppose you can do a
> > derivation of the fix I have for you on not knowing the root password
> > below, but then you'll have an ldap server willing to take anything
> > from anyone that can reach it. (Read: Really bad idea).
>
> Thanks for the follow up.
>
> OK, I have it now that each process will have its own password. That is now
> working fine for when the entry exists and they check the attributes.
>
> What about the situation where the processes doesn't yet have an entry in the
> directory?
> Ideally I want it to be able to add itself in, but when I try that I get   "no
> such object" on the bind phase of the add. Of course, it doesn't exist yet. Is
> this an ACL thing or do I have to bind as some exising object in order to do
> an add. (That kinda scuppers the idea of adding your own entry).
>
> Currently my ACL is   access to * by self write by * read
> I guess I'd need to change that so only things binding with the same dc can
> add themeselves. As you say, I don't want any old client adding their entry
> in!
>
> Tim

References:
- Re: ACL query : write by self without passwords ?
  - From: tim fulcher <fulchetr@drink.bt.co.uk>

Prev by Date: relationships between classes
Next by Date: Re: openldap config for netscape certificates? (real success ?)
Index(es):
- Chronological
- Thread