Re: ACL question - minimum rights for Apache HTTP Server Bind User

[Marc Patermann <hans.moser@ofd-z.niedersachsen.de>]

Axel,

Axel Birndt schrieb (14.12.2011 21:36 Uhr):

> ----apache.conf-------
> .....
> AuthType basic
> AuthBasicProvider ldap
> AuthName "LDAP-geschuetztes Verzeichnis"
> AuthLDAPUrl "ldap://localhost:389/ou=user,dc=2axels-company,dc=de?cn?sub";
> AuthLDAPBindDN "cn=bind,ou=technical,ou=user,dc=2axels-company,dc=de"
> # it doesn't work, if the bind password is encrypted... isn't it ??
> #AuthLDAPBindPassword {SHA}pfiSFDDFSAAE$$%j8BTtCUqs9IZWsQ=
> # Because this, the password is currently used as an unencrypted one:
> AuthLDAPBindPassword xxxxxxxxxxx
> Require ldap-group cn=awstats,ou=groups,dc=2axels-company,dc=de
> ....
> ----------------------------------
>
> Now my question:
>
> which minimum acl rights are needed for the Bind User:
>
> "cn=bind,ou=technical,ou=user,dc=2axels-company,dc=de"
>
> to connect to the ldap server and check the group from the user who try 
> to login.
When I understand your apache config right, you
- enter values of cn attributes to your http auth
- the objects to these cn values are in ou=user,dc=2axels-company,dc=de
- allowed users are in a ldap group 
cn=awstats,ou=groups,dc=2axels-company,dc=de

So apache must be able to
- search for cn attributes in ou=user,dc=2axels-company,dc=de,
- authenticate with an object in ou=user,dc=2axels-company,dc=de and
- read the members of cn=awstats,ou=groups,dc=2axels-company,dc=de
(You should see from your slapd log, if there are any other actions from 
apache like searching for groups etc.)

While you want to protect these information for anonymous access you 
decided to take a bind user 
cn=bind,ou=technical,ou=user,dc=2axels-company,dc=de.
So all the rights above have to be granted to this user.


Marc