Re: openldap authentication problem

[Lee Jensen <lee_jensen@sento.com>]

> I am however a bit confused about the meaning of the
> "anonymous auth" line, as I am with acess control 
> meanings altogether to be honest. What does the
> "by anonymous auth" line actually allow? In which sense
> is the user anonymous? I did check that it doesn't
> actually allow anonymous login (which I wouldn't
> want anyway) so it's not that.

The anonymous part refers to users who have "bound" to the server
anonymously. By default openLDAP allows people to bind to the server
without a username and password. As with any user they are restricted by
the ACLs that have been defined. I am not sure whether there is a
configuration option that disallows anonymous binds. There may well be
one, I have never needed it. So "by anonymous auth" essentially gives
users who have bound anonymously (or who are performing bind operations
as a legitimate user but have not yet bound) sufficient access to the
userPassword attribute for the server to compare their supplied password
with the attribute.

If you do not grant any access to the userPassword attribute then no one
will be able to bind to the server.

> 
> Also is there a reason you didn't add a ssf factor
> in the suggested line? I tried to add it and it
> works as well.

I can't say exactly why he didn't. Personally I would add the line
because it would essentially prevent anyone from binding if their
connection was not sufficiently secure.

> 
> If someone could point me to some explanation of 
> access rights I would be most grateful. I've seen
> the one in the openldap admin-guide but I must admit
> that it's not really clear to me.
> 

The openLDAP access control man page is probably your best resource...

http://www.openldap.org/software/man.cgi?query=slapd.access&sektion=5&apropos=0&manpath=OpenLDAP+2.2-Release

There are also FAQs for ACL manipulation.
http://www.openldap.org/faq/data/cache/189.html

Lee Jensen