[Date Prev][Date Next]
Re: MacOS X logins very, very slow or failing with Openldap 2.1.23...
I see that and it would be reasonable for most deployments. However we
are in a position to have to address FERPA issues where we can not
expose one user's info to another user. I believe some of the
posixAccount attribs would be too much info under our interpretation of
Any ideas how I might structure something to help with this?
Quanah Gibson-Mount wrote:
--On Tuesday, November 25, 2003 4:48 PM -0500 Everette Gray Allen
So do you restrict users so they can only read their own data?
We are trying to do this using:
access to *
by self read
by anonymous auth
access to dn.regex="uid=(.*),ou=people,dc=ncsu,dc=edu"
by dn.regex="$1" read
by anonymous auth
and saslauthd for simple binds.
it works if I code the dn and password in directory setup but I can not
see another way to do it.
Well, there are two different things here:
1) OS X logins - For this, we expose posixAccount attributes via
anonymous bind to a specific range of IP addresses. Note that since we
are using K5 for our authentication, there is no need for them to query
any password attributes from the directory system.
2) User authentication once they are logged in: Users can see any
information available to the 'stanford visible' subset of information at
Stanford University via SASL/GSSAPI binds. We do not allow users to
modify or change directory data directly, they must use a web-based
frontend utility to make those types of changes.
Principal Software Developer
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
Everette Gray Allen Systems Programmer II
ITD Computing Services Macintosh Support Specialist
2620 Hillsborough St, Campus Box 7109
Raleigh, NC 27695-7109