[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL to allow resolving uid@domain to a full DN?



Dan Lowe wrote:
> 
> I'm attempting to create an address book system, but I don't want to allow
> full anonymous read access.  With certain clients I can just put a DN
> string and password in the client config, such as:
> 
>     Username: uid=dan@tangledhelix.com,ou=addressbook,o=MyOrg
>     Password: something
> 
> And they authenticate and can view entries without trouble.  Anonymous
> reads are disabled, as there are those concerned about spammer harvesting.
> I'm not sure I buy into that being a real threat, but it's something I have
> to try to work around.
> 
> However, some clients (such as Netscape Communicator 4.x) take a
> user@domain style username...
> 
>     Username: dan@tangledhelix.com
>     Password: something
> 
> It then binds anonymously to turn that uid into a full DN, which it then
> uses to bind and search.  However, since I can't turn on anonymous reads
> this isn't working for me at all.  I've tried a number of things, but
> nothing appears to work.  I've read over the documentation numerous times
> so I've RTFM already.
> 
> Anyone had to tackle this before, or can supply a working ACL?  I've been
> racking my brains against this for two days without any success...

There's no easy way to do that, to my knowledge.

You can do something like that using the rewrite capabilities in 2.1's
back-ldap/back-meta; it is given as an example in the slapd-meta.5 man 
page (search for "Bind with email instead of full DN"), but I do not 
recommend it. You need to set up a back-ldap as the last database that 
handles requests without a known naming context, i.e.

database ldap
suffix ""

then follow the instructions on how to turn on the desired naming 
context rewrite.  You need some knowledge of regex(7) if you need 
to tweak stuff.

Pierangelo.

-- 
Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 |
mailto:pierangelo.masarati@polimi.it
via La Masa 34, 20156 Milano, Italy   |
http://www.aero.polimi.it/~masarati