[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Restricted/controlled simple bind

Pierangelo Masarati wrote:
Tobias Franzén wrote:

Is there a way to have a more fine-grained restriction for simple binds
rather than just On of Off? Maybe some ACL regexp?

For instance I want to restrict simple bind possibilities to direct
children of two or three OU groups, and furthermore I want to restrict
the simple binds for the normal users to those with a {SASL} entry in
their userPassword (or everyone if it cannot be specified separately).

I'm using the option "password-hash {CLEARTEXT}" and don't want users
without a userPassword like "{SASL}<uid>@REALM" to be allowed to do
simple binds to the LDAP database. I have a Kerberos realm setup to
handle passwords and saslauthd for the password check.

Some applications that I have running are not kerberized. So I can't
disable simple binds completely, since these applications still need to
do simple binds for authentication.

You might say that simple binds won't be possible if entries don't have
a userPassword attribute, but I'd like some better reassurance.

You can use access control on the userPassword attribute. Something like

access to attrs=userPassword
	by group="ou=Simple Bind" auth
	by * break

Not quite. "auth" operations are always anonymous.

It would need to be something like

access to dn.one="ou=Simple Bind" attrs=userPassword
	by anonymous auth

access to attrs=userPassword val.regex="^{SASL}.*"
	by * auth

-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/