[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: access
ud implem
At 02:22 PM 1/21/00 -0500, squeegy+ldap@squeegy.org wrote:
>I try to connect with ud with my access set to the below I get :
>
>* bind Chiodi
> Authenticating to the directory as "JT Chiodi"...
> Enter your LDAP password:
> Enter your LDAP password:
> Authentication successful.
>
>access to dn=".*,ou=Roaming,dc=amsite,dc=com" by dnattr=owner write
>access to attr=userpassword
> by self write
> by * none
>access to attr=uid,ou,sn,givenname,objectclass
> by self read
> by * search
>
>access to dn=".*,dc=amsite,dc=com"
> by dn=".*,dc=amsite,dc=com" read
> by * read
>
>And I can bind. note the last line above. If I change that from
>by * read to by * none and try to bind in ud I get the following:
>
>* bind Chiodi
> I could not find "Chiodi" in the Directory.
> I used a search base of amsite, com
>
>Of course with by * read set I can browse my ldap directory without
>authenticating.
UD searches the directory for the entry associated with the
user name you enter and then attempts to bind to that entry.
If it cannot find that entry (due to ACL or other reasons),
it cannot preform the bind. This is a so-called "smart bind"
(a number of other clients behave similiarly) and requires
that you allow anonymous searches (appropriate for the
assertions made by the client) AND allow anonymous reads
of the entries' "entry" which you'd like to authenticate
as. You do not have to allow read of any attribute.
access to attr=entry
by * read # allow anon read of DNs
by self write
by dn=".+" read
access to attr=cn,givenName,sn,uid
by dn="" search # allow anon search
by self write
by dn=".+" read
access to attr=userpassword
by self write
by * none # deny non-self including anon
access to *
by self write
by dn=".+" read
by * none # deny anon access
Personally, I disallow "smart" bind...
- References:
- Re: access
- From: David Buttrick <david.buttrick@wilcom.com>