[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: authenticating from netscape, take 2

if entry was the whole record, wouldn't a rule like:

access to attr=entry
        by * read

permit read access to all records for everybody? in my case i do get the
behavior i want: netscape is able to retrieve the DN to bind correctly and
no one else can view any records as long as they are anonymous.


on 10/21/00 11:27, Patrick Timmons at ptimmons@courriel.polymtl.ca wrote:

> If I understand correctly, the "entry" "attribute" refers to the whole record,
> not exclusively to the DN. Read Acces to "entry" is required to look at the
> record to see what attributes are present and then individual attribute access
> rights are evaluated to see if you are allowed to see the value of each
> attribute. I haven't red the code but this is what I found from experimenting
> with acls. I'm sure Kurt will correct me if I'm wrong.
> Jens Vagelpohl wrote:
>> well, to be honest, this document on netscape's site that the FAQ refers to
>> is not really all that helpful. i had found about the fact that netscape
>> sends the email address to retrieve the DN from the mailing list archives.
>> my biggest snag to get any data out of the LDAP server from netscape was the
>> fact that i simply didn't know that the DN is called "entry" when i want to
>> refer to it in the authentication. i didn't see that in the ACL section of
>> the docs at all.
>> other than that my next problem, getting the full dataset after
>> double-clicking on an entry in the list of matches, seems to have a netscape
>> problem. i upgraded from 4.72/Mac to 4.75/Mac and suddenly that works as
>> well.
>> i am going to add all this stuff (and *really* explain netscape's data
>> retrieval sequence) to the FAQ-O-Matic.
>> jens
>> on 10/20/00 19:36, Kurt D. Zeilenga at Kurt@OpenLDAP.org wrote:
>>> At 03:10 PM 10/20/00 -0400, Jens Vagelpohl wrote:
>>>> next step is actually retrieving the full set of data. i did see one
>>>> mailing
>>>> where a guy described the same problem: when you double-click on the listed
>>>> entry netscape goes back to the ldap server to retrieve the full entry.
>>>> BUT... it binds anonymously again, so all i get is the DN and nothing else.
>>>> searching the mailing list further provided no clue.
>>> Try the FAQ.  It provides a number of Netscape specific answers
>>> (you are welcomed to additional ones).  In particular,
>>> "How to customize LDAP settings in Netscape Communicator?"
>>> <http://www.openldap.org/faq/index.cgi?file=138> provides a
>>> reference to the Netscape document detailing their use of
>>> LDAP.