[Date Prev][Date Next]
Re: How-to secure PosixAccount attr ?
I already have this in my slapd.conf :
but the main prob is when you do a whoami on id user, the ldap server
log showed a anonymous bind (BIND="") ans after several tests, I saw
that it's the BIND from the /etc/ldap.conf. Is there a way that it send
my BIND instead the one in the ldap.conf
paul kölle wrote:
-----BEGIN PGP SIGNED MESSAGE-----
| server openldap 2.2.17, with sasl auth (krb5)
| access to dn.regex="^([^,]*,)?ou=[^,]+,(dc=[^,]+(,dc=[^,]+)*)$"
| by anonymous auth
| by users read
| by self read
| The prob is that if I use id user1 for examples, the BIND="" unless I
| harcode it on in ldap.conf.
| How can I secure those info ?
| Is there a way to pass the current DN on the user ?
| thanks !
What does ldapwhoami say?
I'm not totally clear about what you are trying but note that if using
SASL-GSSAPI you need a rule to transform your SASL binddn to a regular
dn first. This is usually accomplished by a sasl-regexp directive in
slapd.conf like so:
The first expression is supposed to catch your PrincipalName, the second
the realm (the realm might not be sent by your client if it's the
default realm and thus the first cn= statement is missing in which case
the above regexp will fail).
posixAccount is an objectClass if I recall correctly it can be
referenced attrs=@posixAccount haven't tested this though.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----