[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL query : write by self without passwords ?



James Blackwell wrote:

> > processes. I created a new object type which has a couple of attributes,
> > but I
> > didn't associated a password attribute with the class. When a processes
> > starts
> > up, I want it to lookup its own entry in the directory, and update
> > attributes
> > which differ from its current state.
>
> For the first question, it would be best to just set a password for each
> server, and have it know it's own password. I suppose you can do a
> derivation of the fix I have for you on not knowing the root password
> below, but then you'll have an ldap server willing to take anything
> from anyone that can reach it. (Read: Really bad idea).

Thanks for the follow up.

OK, I have it now that each process will have its own password. That is now
working fine for when the entry exists and they check the attributes.

What about the situation where the processes doesn't yet have an entry in the
directory?
Ideally I want it to be able to add itself in, but when I try that I get   "no
such object" on the bind phase of the add. Of course, it doesn't exist yet. Is
this an ACL thing or do I have to bind as some exising object in order to do
an add. (That kinda scuppers the idea of adding your own entry).

Currently my ACL is   access to * by self write by * read
I guess I'd need to change that so only things binding with the same dc can
add themeselves. As you say, I don't want any old client adding their entry
in!


Tim