On 12/15/2011 12:32 PM, Axel Birndt wrote:
The bind user has to bind himself (auth access) and must have the rights to search user Objects in your tree (search accesss)Hi Dieter, Am 15.12.2011 08:29, schrieb Dieter KlÃnter:Now my question: > > which minimum acl rights are needed for the Bind User: > > "cn=bind,ou=technical,ou=user,dc=2axels-company,dc=de" > > to connect to the ldap server and check the group from the user who > try to login. > > I hope my description is understandable...http://www.openldap.org/doc/admin24/access-control.html#SetsThanks for your answer, which is really very helpful.In the moment, i have a problem to understand, which actions the binduser has to do, to mediate the Loginuser to the ldapserver.In my opinion, i should be able to create the acl entry, by myself... but before this, i have to verify what steps the binduser is doing during the login.PS: In the moment the login through the apache ldap module is working fine, but i would like to limit the rights from this user to the needed minimum.
Best thing is to create new a ou with bind users, and there you can specify some specials acl rules with a regex for bind users....
1. bind user authenticate himself on the ldaps server 2. Search the tree with a search filter (Defined in the apache config) 3. Get a user dn back 4. user bind ... -- Raffael Sahli public@raffaelsahli.com Switzerland