Re: Binding Problems with authentication

[Joe Novielli <jnoviell@matrox.com>]

Perhaps ACLs wows.

Would you agree that this ACL would search and display all entries and hide 
the userpassword entry, without using any authentication ?


access to attr=userpassword
 by * search

access to *
  by * read

If so, why doesn't it show any results after a search

Log file snippet (search "joe")
---------------------------------------------
Jul 21 19:07:27 pluton.matrox.com slapd[20240]: conn=3 fd=6 connection from 
dyn-2-30.matrox.com (192.168.2.180) accepted.
Jul 21 19:07:27 pluton.matrox.com slapd[20240]: conn=3 op=0 BIND dn="" 
method=128
Jul 21 19:07:27 pluton.matrox.com slapd[20240]: conn=3 op=0 RESULT err=0 
tag=97 nentries=0
Jul 21 19:07:27 pluton.matrox.com slapd[20240]: conn=3 op=1 SRCH 
base="LOCATION=DORVAL,O=MATROX,C=CA" scope=2 filter="(cn=*JOE*)"
Jul 21 19:07:27 pluton.matrox.com slapd[20240]: conn=3 op=1 RESULT err=0 
tag=101 nentries=0
Jul 21 19:07:27 pluton.matrox.com slapd[20240]: conn=3 op=3 UNBIND
Jul 21 19:07:27 pluton.matrox.com slapd[20240]: conn=3 op=3 fd=6 closed errno=0
---------------------------------------------------






At 01:10 PM 07/21/99 -0700, you wrote:
> [replied back to list to share answer with others... and the archives]
>
> Joe Novielli wrote:
> > Is that [ACL restricting anonymous reads] OK?  I don't want anonymous
> > to perform searches or reading on any attribute.
>
> Quite understandable.  However, such access controls disallows
> use clients which insist on searching for the entry to bind to.
> Such "friendly bind" approaches, in my opinion, are only useful
> where LDAP is deployed in "friendly" environments.
>
> Clients should just bind to DNs... leaving "friendly" DN mappings
> to the server implementations...  Clients that don't allow users
> to specify a bind DN are flawed.
>
> Kurt