[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Restricted/controlled simple bind

Tobias Franzén wrote:
> Hi.
> Is there a way to have a more fine-grained restriction for simple binds
> rather than just On of Off? Maybe some ACL regexp?
> For instance I want to restrict simple bind possibilities to direct
> children of two or three OU groups, and furthermore I want to restrict
> the simple binds for the normal users to those with a {SASL} entry in
> their userPassword (or everyone if it cannot be specified separately).
> I'm using the option "password-hash {CLEARTEXT}" and don't want users
> without a userPassword like "{SASL}<uid>@REALM" to be allowed to do
> simple binds to the LDAP database. I have a Kerberos realm setup to
> handle passwords and saslauthd for the password check.
> Some applications that I have running are not kerberized. So I can't
> disable simple binds completely, since these applications still need to
> do simple binds for authentication.
> You might say that simple binds won't be possible if entries don't have
> a userPassword attribute, but I'd like some better reassurance.

You can use access control on the userPassword attribute.  Something like

access to attrs=userPassword
	by group="ou=Simple Bind" auth
	by * break

access to attrs=userPassword val.regex="^{SASL}.*"
	by * auth


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it