Re: Access-Control

["Mark Wilcox" <mark@mjwilcox.com>]

Actually there's 2 ways of authenticating/binding in LDAP (bear with me LDAP
purists ;)

1) You can bind anonymously.
2) You can bind as a particular entry in the LDAP server (usually as a user
entry).

In LDAP v3 there are 3 ways of handling authentication in step 2:

1) simple dn and password. This is traditional mechanism where you pass a DN
and password to the server via clear text. It's the default and most widely
used mechanism
2) You can authenticate via SSL client certificates
3) You can authenticate via a SASL plugin. SASL is an Internet standard that
allows you to define optional authentication protocols. The 2 most common
SASL are Kerberos and MD5 hash.

If you are going to use LDAP as an authentication mechansim for a seperate
application, you can read about how to do this in a collumn I wrote nearly a
year ago:

http://developer.netscape.com/viewsource/index_frame.html?content=wilcox_lda
p2.html

Mark
-----Original Message-----
From: Stefan Kiesow <Stefan.Kiesow@nwn.de>
To: OpenLDAP <openldap-general@OpenLDAP.org>
Date: Tuesday, August 03, 1999 11:26 AM
Subject: Access-Control


>Hello,
>
>I wonder how I can give different users different access to the
>ldap-Database.
>
>Maybe I didn't understand it the right way, but are there only two ways
>to bind to the ldap-Sever: an anonymous and one via the root-dn +
>rootpw?
>
>The question is because of the following:
>
>I want to keep many user-entries in the ldap-server.
>In the Netscape-Adress-Book or via the URL-search, I only want to show
>some attributes.
>But in an HTML-Page, I want to offer the possobility to edit ones own
>entry.
>This can be done via an cgi-script with an internal login and pw. Or is
>there a possibility to have more than the anonymous-bind and the rootdn?
>
>Thanks,
>Stefan
>
>