[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL's

To: Joe Garcia <jgarcia@gnncast.net>
Subject: Re: ACL's
From: Jeff Clowser <jclowser@aerotek.com>
Date: Fri, 16 Jul 1999 15:00:37 -0400
Cc: Rob Byrne - Sun Microsystems <rbyrne@france.sun.com>, openldap-general <openldap-general@OpenLDAP.org>
Organization: Aerotek, Inc.
References: <378E4738.EBF324B7@gnncast.net> <378EDC29.74D290A4@france.sun.com> <378F3E35.E61B0866@gnncast.net>

Unfortunately, you run into catch 22.  You must
bind to LDAP as a dn and password, and you get
the dn by searching for the uid, but can't
see the uid unless you bind as a valid user.

Typically, you bind as anonymous, search for the
uid (or mail, cn, etc) to get the dn, then bind
as the dn and password to auth, after which you
can see things.  If you are trying to hide
your uid's, the person has to know their dn
(assuming the software allows you to put in a dn
instead of uid or whatever).

To make uid/pass to work, you need to allow anonymous
to search on uid.  Netscape Communicator's address
book requires you to use the email address (mail
attribute) instead of uid, so anonymous has to
be able to search on mail to support Communicator
authed access to address books.  Netscape Calendar
client in Communicator goes against cn, sn, and/or
givenname, so those have to be searchable by
anonymous (actually, calendar probably does everything
as anonymous).  At this point, most of what you probably
want to protect has to be visible for your clients
to work... :(

Unfortunately, a lot of this tends to assume that
by default attributes are visible and that you
protect those that need to be secure, not hide
everything and only expose what is needed to be
exposed.

My best advise would be to look in your logs and
see what attributes are being searched by anonymous
(to get the initial dn to bind as), then open up
only that attribute, until you get it to work,
then see if that is acceptable.  In your case,
I would guess it is searching on the "mail"
attribute in LDAP to figure out what to bind as.

Joe Garcia wrote:

> Hey Rob,
>
>         I did this, yet I still cannot log on...here is what a typical ldap
> entry looks like, some of the attributes are for qmail with the ldap
> patches.
>
> dn: uid=akel, o=Greenberg News Networks, c=US
> cn: Annette Akel
> sn: Akel
> objectClass: top
> objectClass: person
> objectClass: qmailUser
> mail: akel@gnncast.net
> mailMessageStore: gnnmail/akel/
> uid: akel
> deliveryMode: normal
> userPassword: {crypt}8.dm56sH439sw
>
> Yet everytime I try to get info from the server with Netscape I get this
> in response
>
> Mail id invalid or not unique, cannot resolve to directory authorization
> entry.
>
> Any idea??
>
> Joe
>
>
> Rob Byrne - Sun Microsystems wrote:
> >
> > Joe,
> >
> > You want to disallow anonymous access to your server ie. everyone
> > is forced to bind to the server befere having the right to see anything.
> > This means changing the ACLs to disallow any anonymous access--so remove
> > anything that has "*" in the "by" clause of the ACLs.  Also, don't forget
> > to set
> > the default ACL to "none".
> >
> > Rob.
> >
> > Joe Garcia wrote:
> >
> > > How would I create an access list so that no information is shown until
> > > the person sucessfully logs on??  As in they need to enter a valid uid
> > > and password before they can get on.

--
 Jeff Clowser
 mailto:jclowser@aerotek.com       Hanover MD  21076 USA
 Phone: (410)-579-4328             7312 Parkway Drive

References:
- ACL's
  - From: Joe Garcia <jgarcia@gnncast.net>
- Re: ACL's
  - From: Joe Garcia <jgarcia@gnncast.net>

Prev by Date: Re: ACL's
Next by Date: send mail to multiple recipients
Index(es):
- Chronological
- Thread