Re: MacOS X logins very, very slow or failing with Openldap 2.1.23...

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Tuesday, November 25, 2003 4:48 PM -0500 Everette Gray Allen 
<Everette_Allen@ncsu.edu> wrote:

> So do you restrict users so they can only read their own data?
>
> We are trying to do this using:
> access to *
>          by self read
>          by anonymous auth
>
> access to dn.regex="uid=(.*),ou=people,dc=ncsu,dc=edu"
>          by dn.regex="$1" read
>          by anonymous auth
> and saslauthd for simple binds.
>
> it works if I code the dn and password in directory setup but I can not
> see another way to do it.

Well, there are two different things here:

1) OS X logins - For this, we expose posixAccount attributes via anonymous 
bind to a specific range of IP addresses.  Note that since we are using K5 
for our authentication, there is no need for them to query any password 
attributes from the directory system.

2) User authentication once they are logged in:  Users can see any 
information available to the 'stanford visible' subset of information at 
Stanford University via SASL/GSSAPI binds.  We do not allow users to modify 
or change directory data directly, they must use a web-based frontend 
utility to make those types of changes.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html