Re: [staff@kern.nl: [staff] Re: Using OpenLDAP with authentication in email clients, please help]

["Stan P. van de Burgt" <stan@q-go.com>]

Hi Wim,

Thanks for your time.
It did not solve the problem yet, hope I can find some more recipes.
I promise to add all working recipes to the FAQ at OpenLDAP.org!!!

See for more info my comments below

- Stan


> Van: Wim Fournier <wim-openldap-software@geeks.nl>
> 
> Hello,
> 
> The problem is probably that your ACL is not configured properly. Your
> bind ACL is configured as follows:
> 
> access to *
> by self write
> by dn=".+" read
> by dn="^$$" compare
> by * none
> 
> 
> When you try to bind to the LDAP database, it tries to match an access
> to line with the binddn (cn=user,o=root by example). These access to
> lines contain a 'what' clausule in the form of a regular
> expresssion. After finding a matching access to clausule, it parses the
> 'by' clausules belonging to this access to clausule to find a matching 'who'
> clausule
> (also regex). When found, the access rule belonging to this 'by' clausule
> is used.
> 
> The first match for this binddn will be 'access to *' in this config. The
> only 'who' that matches is * in this case, because
> authentication/authorization is done anonymously.

I understood taht dn="^$$" means empty dn, i.e. anonymous.
I tried 'anonymous', bu the openldap server on my installation did not
accept it. I guess it's an older version (in RedHat 6.2)

> As you can see, the
> matching access rule will be 'none' so the bind fails.
> 
> The reaseon Netscape _does_ succesfully bind, could be because it's
> 'ldap-aware'. I think it does bind with the binddn directly, without
> binding anonymously first.

Actually, id does 1 anonymous step I think, as it translate the email
address (mail field in the LDAP store) to the right dn
The irritating thing is that it immediately forgets the email/passwd used to
do the query (which gives the right results b.t.w.) and when I want to find
another address I have to give email/passwd again

> 
> If you replace the line
> by * none
> with
> by anonymous auth
> this problem should be solved. This way everyone can do an anonymous bind,
> however they have no other rights till they bind as a user in your LDAP tree.

It doesnt understand 'auth' either.

> btw: the 'by * none' is not needed in this case, because the
> 'defaultaccess none' takes care of this.

You're right. It was still there as I experimented with other defaults

> The by 'dn=".+" read' should be replaced with 'by users read', at least I
> think that is what you want with it...

Yes, and that's what this is an alternative to, I think.


> _Do_ see also:
> http://www.openldap.org/doc/admin/slapdconfig.html#Access Control

Yeah, found that one too.


Hope that someone with Outlook (express) and LDAP with authentication that
uses this in practice can react.
When looking on the Net, it seems as though no-one uses an LDAP server on
the Internet, with access to people in the directory only, in combination
with email clients like Outlook (Express), NS Communicator, Eudora


Again: Thanks for your time!



> On Tue, 26 Jun 2001, Stan P. van de Burgt wrote:
> 
>> Hi Guys,
>> 
>> I really search everywhere on the OpenLDAP site, on other LDAP related sites
>> and on the Internet, but can't solve it myself:
>> 
>> We would like to use OpenLDAP for directory services in our company. This
>> server should be accessible to employees of our company, but no-one else.
>> 
>> The directory should be accessible on the road, from offices in other
>> countries, ..., to people that are in the directory only.
>> 
>> I installed OpenLDAP and populated it with our directory information. When
>> no ACL is present in the slapd.conf file, it works fine with Netscape
>> Communicator, Outlook Express, Eudora, ....
>> 
>> But with ACL present, I barely get Netscape to work (I have to give my email
>> address and password for every query, it doesn't remember it), In Eudora
>> there's no place to put account/password and Outlook fails to login and
>> reverts to anonymous lookup which (obviously) returns 0 matches.
>> 
>> With ldapsearch from remote machines and with LDAP clients like Ldapper, it
>> works fine.
>> 
>> So please: If you have a recipe for using Outlook (Eudora and Netscape are
>> more than welcome too!) with OpenLDAP restricted to people in the directory
>> only, please share it with me.
>> 
>> My slapd.conf is below.
>> 
>> Thanks!
>> 
>> - Stan
>> 
>> --
>> 
>> #
>> # See slapd.conf(5) for details on configuration options.
>> # This file should NOT be world readable.
>> #
>> include         /etc/openldap/slapd.at.conf
>> include         /etc/openldap/slapd.oc.conf
>> schemacheck     off
>> #referral       ldap://root.openldap.org/
>> 
>> pidfile         /var/run/slapd.pid
>> argsfile        /var/run/slapd.args
>> #loglevel 488
>> 
>> #######################################################################
>> # ldbm database definitions
>> #######################################################################
>> 
>> database        ldbm
>> suffix          "dc=Company, dc=com"
>> rootdn          "cn=xxx, dc=Company, dc=com"
>> rootpw          xxx
>> # cleartext passwords, especially for the rootdn, should
>> # be avoid.  See slapd.conf(5) for details.
>> directory       /var/lib/ldap
>> 
>> lastmod on 
>> sizelimit 50
>> defaultaccess none
>> 
>> # anonymous may compare (to bind using Netscape)
>> access to attr=mail
>> by self read
>> by dn=".+" read
>> by * search
>> 
>> access to attr=userPassword
>> by self write
>> by dn="^$$" compare
>> by * none
>> 
>> access to attr=entry
>> by * read
>> 
>> access to *
>> by self write
>> by dn=".+" read
>> by dn="^$$" compare
>> by * none
>> 
> 
> 
>