Liam Gretton wrote: > On 19/04/2013 17:20, Howard Chu wrote: > >> Better to do this in a slapd ACL and enforce from the server side, than to >> rely on correctness of multiple clients. >> >> access to attrs=userpassword filter=(globalLock=off) >> by anonymous auth > > We don't use LDAP for passwords, and that wouldn't prevent SSH key logins either. You could (or better should) easily extend this ACL-based approach to whole user entries. Use your imagination. Actually I'm doing this all the time. > Also we trust our client config just as much as our LDAP config. I often have to deal with clients where I can't set a filter in client configuration at all. Usually some appliances are a nightmare to configure. Ciao, Michael.
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature