[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Some More Newbie Questions

--On Tuesday, October 17, 2006 4:16 AM -0700 Ted Johnson <whatawonderfulworldweliveintoo@yahoo.com> wrote:

75 Hi; Here are some more questions I have in setting up my slapd.conf file:

* How does one incorporate a user certificate? Where does one incorporate
strongAuthenticationUser, certificationAuthority?
* Since my server is a stand-alone unit and I am the only administrator,
I see no need for using Kerberos. However, TLS requires anonymous bind,
and anonymous bind     presents the problem of possible DoS attacks. Are
there work-arounds with this, or, if I'm concerned about the same, is
this reason enough to use Kerberos?
* What are limits? Is this just for syncrepl? I have no replication.
* Where does one set limits? In the database config file?
* Access scope has three potential values: base, subtree and children.
Does "children" go down the entire subtree, such that the only difference
between "subtree" and "children" is that the former includes the base?
* Can someone give me a clear explanation with an example of "dnattr" and
where it is used (i.e. slapd.conf or slapd.d/cn=control)?
* Can someone give me a clear explanation with an example of how and
where to use "ssf"? How can this be configured for someone authorizing
via SSH2? How about an internal daemon?
* Why is the default timelimit so high (3600)? I mean, if slapd can't
find what it's looking for in 300 seconds, something's wrong!
* I had to specially install bdb to use bdb. Do I have to specially
install monitor to use monitor? If so, where do I find it?

You already asked all this on ldap@umich, and got answers from it. Most, if not all, your questions would be answered by reading the OpenLDAP Admin guide and the OpenLDAP FAQ. And your concept about TLS and anonymous binds is just wrong. It is an encryption layer, not a authentication mechanism(*), so you can use it with whatever authentication mechanism you choose, or anonymous.

(*) SASL/EXTERNAL can use user certs to do authentication in addition to setting up a TLS connection.


-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html