[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access



Oops,  disregard my last message.  I didn't scroll down.  thanks for
the info. I will try it out.

> ud implem
> At 02:22 PM 1/21/00 -0500, squeegy+ldap@squeegy.org wrote:
> >I try to  connect with ud with my access set to the below I get :
> >
> >* bind Chiodi
> >  Authenticating to the directory as "JT Chiodi"...
> >  Enter your LDAP password:
> >  Enter your LDAP password:
> >  Authentication successful.
> >
> >access to dn=".*,ou=Roaming,dc=amsite,dc=com" by dnattr=owner write
> >access to attr=userpassword
> >        by self write
> >        by * none
> >access to attr=uid,ou,sn,givenname,objectclass
> >        by self read
> >        by * search
> >
> >access to dn=".*,dc=amsite,dc=com"
> >        by dn=".*,dc=amsite,dc=com" read
> >        by * read
> >
> >And I can bind.  note the last line above.  If I change that from
> >by * read to by * none and try to bind in ud  I get the following:
> >
> >* bind Chiodi
> >  I could not find "Chiodi" in the Directory.
> >  I used a search base of amsite, com
> >
> >Of course with by * read set I can browse my ldap directory without
> >authenticating.
> 
> UD searches the directory for the entry associated with the
> user name you enter and then attempts to bind to that entry.
> If it cannot find that entry (due to ACL or other reasons),
> it cannot preform the bind.  This is a so-called "smart bind"
> (a number of other clients behave similiarly) and requires
> that you allow anonymous searches (appropriate for the
> assertions made by the client) AND allow anonymous reads
> of the entries' "entry" which you'd like to authenticate
> as.  You do not have to allow read of any attribute.
> 
> access to attr=entry
> 	by * read	# allow anon read of DNs
> 	by self write
> 	by dn=".+" read
> 
> access to attr=cn,givenName,sn,uid
> 	by dn="" search	# allow anon search
> 	by self write
> 	by dn=".+" read
> 
> access to attr=userpassword
> 	by self write
> 	by * none		# deny non-self including anon
> 
> access to *
> 	by self write
> 	by dn=".+" read
> 	by * none		# deny anon access
> 
> 
> Personally, I disallow "smart" bind...
> 



___________________

Jt "The Squeegy" Chiodi

http://www.squeegy.org/
squeegy@squeegy.org