[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access Control confusion



As a follow up to this, I have done more investigation.

I've come to the conclusion this a client related problem (maybe my
configuration of the client). If I access the LDAP server with either Netscape
Communicator 4.79 or Outlook Express 5.5 I can't authenticate. However, if I
do:

ldapsearch -L -D "cn=Postmaster@2cah.com,dc=2cah,dc=com" -W -x

Authentication works and I get a valid return from slapd.

It should be noted that I am running a Windows port
(http://www.fivesight.com/downloads/openldap.asp) of OpenLDAPs slapd v2.0.19
on Windows 2000 Professional, if that makes any difference.

I've got debug output from slapd if anyone needs to see it.

Suggestions?

Craig Morrison wrote:
> 
> I am a beginner with OpenLDAP so please pardon my ignorance. Pointers to
> relevant topics or suggestions would be greatly appreciated.
> 
> I've got OpenLDAP up and running successfully with the default access controls
> (access to * by * read). What I need to do is allow access to specific
> portions of a database using the following format:
> 
> <slapd.conf snippet>
> database        ldbm
> suffix          ""
> rootdn          "cn=craig,dc=2cah,dc=com"
> rootpw          xxxxx
> # Indices to maintain
> index   objectClass,cn,mail     pres,eq
> </slapd.conf snippet>
> 
> <LDIF snippet>
> dn: cn=Postmaster, dc=2cah, dc=com
> cn: Postmaster@2cah.com
> o: 2cah.com
> sn: Postmaster
> mail: Postmaster@2cah.com
> userPassword:: Y2ExOTYz
> objectClass: inetorgperson
> 
> dn: cn=Postmaster, dc=ezmts, dc=org
> cn: Postmaster@ezmts.org
> o: ezmts.org
> sn: Postmaster
> mail: Postmaster@ezmts.org
> userPassword:: Y2ExOTYz
> objectClass: inetorgperson
> </LDIF snippet>
> 
> Users from dc=2cah,dc=com should only be able to see the entries for 2cah.com
> but not for ezmts.org and the other way round using simple authentication.
> 
> I've been beating my head up against a wall trying to figure this out. I've
> read the portion of the admin guide covering ACIs but it still isn't sinking
> in.
> 
> Suggestions would be greatly appreciated. Thank you.
> 
> --
> 
> Craig Morrison
>   http://www.mtsprofessional.com/
>   A Win32 Email server that works for you.

-- 

Craig Morrison
  http://www.mtsprofessional.com/
  A Win32 Email server that works for you.