Quanah Gibson-Mount wrote:
--On Tuesday, November 25, 2003 4:48 PM -0500 Everette Gray Allen <Everette_Allen@ncsu.edu> wrote:
So do you restrict users so they can only read their own data?
We are trying to do this using: access to * by self read by anonymous auth
access to dn.regex="uid=(.*),ou=people,dc=ncsu,dc=edu" by dn.regex="$1" read by anonymous auth and saslauthd for simple binds.
it works if I code the dn and password in directory setup but I can not see another way to do it.
Well, there are two different things here:
1) OS X logins - For this, we expose posixAccount attributes via anonymous bind to a specific range of IP addresses. Note that since we are using K5 for our authentication, there is no need for them to query any password attributes from the directory system.
2) User authentication once they are logged in: Users can see any information available to the 'stanford visible' subset of information at Stanford University via SASL/GSSAPI binds. We do not allow users to modify or change directory data directly, they must use a web-based frontend utility to make those types of changes.
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITSS/TSS/Computing Systems ITSS/TSS/Infrastructure Operations Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
-- Everette Gray Allen Systems Programmer II ITD Computing Services Macintosh Support Specialist 2620 Hillsborough St, Campus Box 7109 Raleigh, NC 27695-7109 919-515-4558 Everette_Allen@ncsu.edu