[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: MacOS X logins very, very slow or failing with Openldap 2.1.23...

I see that and it would be reasonable for most deployments. However we are in a position to have to address FERPA issues where we can not expose one user's info to another user. I believe some of the posixAccount attribs would be too much info under our interpretation of FERPA.
Any ideas how I might structure something to help with this?

Quanah Gibson-Mount wrote:

--On Tuesday, November 25, 2003 4:48 PM -0500 Everette Gray Allen <Everette_Allen@ncsu.edu> wrote:

So do you restrict users so they can only read their own data?

We are trying to do this using:
access to *
         by self read
         by anonymous auth

access to dn.regex="uid=(.*),ou=people,dc=ncsu,dc=edu"
         by dn.regex="$1" read
         by anonymous auth
and saslauthd for simple binds.

it works if I code the dn and password in directory setup but I can not
see another way to do it.

Well, there are two different things here:

1) OS X logins - For this, we expose posixAccount attributes via anonymous bind to a specific range of IP addresses. Note that since we are using K5 for our authentication, there is no need for them to query any password attributes from the directory system.

2) User authentication once they are logged in: Users can see any information available to the 'stanford visible' subset of information at Stanford University via SASL/GSSAPI binds. We do not allow users to modify or change directory data directly, they must use a web-based frontend utility to make those types of changes.


Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

-- Everette Gray Allen Systems Programmer II ITD Computing Services Macintosh Support Specialist 2620 Hillsborough St, Campus Box 7109 Raleigh, NC 27695-7109 919-515-4558 Everette_Allen@ncsu.edu