Re: Restricted/controlled simple bind

[Tobias Franzén <lists.zxinn@otaking.se>]

Hi again.

Small update...

I started fiddling around with regexp ACLs after I wrote my mail (I 
thought of it just as I was finishing the mail), and so far I have been 
able to limit access to the userPassword (and as such, simple binds) to 
users in ou=People who have a userPassword like regexp "{SASL}.+@REALM". 
However, I have yet to find a way to expand a regexp from the dn 
containing the uid, into the attrs regexp. My ACL looks something like this:

access to dn.regex="^uid=([^,]+),ou=People,dc=example,dc=com$"
   attrs=userPassword val.regex="{SASL}.+@EXAMPLE.COM"
       by self read
       by anonymous auth
       by * none

I have tried to use val.exact="{SASL}$1@EXAMPLE.COM" but it doesn't 
appear to expand the $1 from teh first dn.regex as I would like. Any ideas?

/Tobias

Tobias Franzén wrote:
> Hi.
>
> Is there a way to have a more fine-grained restriction for simple binds
> rather than just On of Off? Maybe some ACL regexp?
>
> For instance I want to restrict simple bind possibilities to direct
> children of two or three OU groups, and furthermore I want to restrict
> the simple binds for the normal users to those with a {SASL} entry in
> their userPassword (or everyone if it cannot be specified separately).
>
> I'm using the option "password-hash {CLEARTEXT}" and don't want users
> without a userPassword like "{SASL}<uid>@REALM" to be allowed to do
> simple binds to the LDAP database. I have a Kerberos realm setup to
> handle passwords and saslauthd for the password check.
>
> Some applications that I have running are not kerberized. So I can't
> disable simple binds completely, since these applications still need to
> do simple binds for authentication.
>
> You might say that simple binds won't be possible if entries don't have
> a userPassword attribute, but I'd like some better reassurance.
>
> /Tobias