[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: strange acl question

To: Daniell Freed <dxf@dewittross.net>
Subject: Re: strange acl question
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 08 Mar 2001 15:20:26 -0800
Cc: "Openldap-Software (E-mail)" <openldap-software@OpenLDAP.org>
In-reply-to: <3AA556B7.C6AB576E@dewittross.net>

At 03:29 PM 3/6/01 -0600, Daniell Freed wrote:
>I was playing around with ACL's on my server and had an idea about how to handle authentication, but couldn't figure out a way to implement it (maybe it can't be done).  I know this may seem pretty crazy, but I was just mucking around looking for an appropriate way to setup access rights on my ldap servers. 
>
>What I was thinking about was setting up a means to bind to one ldap server based on the users that exist in a 2nd ldap server.  What I want to do is have one ldap server with contact information in it and one with user information (on a seperate box).  And I want to be able to have the users bind to the contact server without having to duplicate their login info. 
>
>What I tried to do was put a referral in my slapd.conf that pointed to the user server.  This portion worked.  I can do ldap searches on the contact server that can return results that exist only on the user server. 
>
>Then I added a acl that looked something like this: 
>
>access to * by 
>   by dn=".*,o=users.company.com" read 
>
>What happens though when I try to bind to do a ldapsearch I get : 
>
>ldap_bind: Inappropriate authentication 
>
>Any one have any thoughts as to whether this should work, or why is shouldn't work? 

I assume you are using 2.0.  2.0 requires you grant anonymous
'auth' access to userPassword to allow authentication.  See
the admin guide / FAQ / archives for examples of how to use ACLs.

References:
- strange acl question
  - From: Daniell Freed <dxf@dewittross.net>

Prev by Date: RE: schemacheck not working?
Next by Date: Re: adding undefined attributes
Index(es):
- Chronological
- Thread