[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access auth granularity?

To: Dora Paula <deepee@gmx.net>
Subject: Re: Access auth granularity?
From: Hallvard Breien Furuseth <h.b.furuseth@usit.uio.no>
Date: Mon, 9 May 2016 13:31:09 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <57303586.1090500@gmx.net>
References: <57303586.1090500@gmx.net>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.7.0

On 09. mai 2016 09:00, Dora Paula wrote:

Dear List,

I've two subtrees that contain user-accounts:
ou=usersA,dc=example,dc=com and ou=usersB,dc=example,dc=com.

Goal: Users below ou=userA,... should only be allowed to bind using
sasl_bind, but not with simple_bind. Whereas users below ou=usersB,... should
be allowed to bind using both (or any kind of bind).


Simple Bind uses anonymous auth (=x) access to userPassword.
Does your SASL setup use userPassword?  If not, or if userPassword
for SASL look like {foo}something but other passwords do not,
use can use something like

olcAccess: to attrs=userPassword dn.children="ou=usersB,..."
  by anonymous =x
  by self =w
# just reject passwords outside usersB.  If you need something else,
# may add val.regex=^[{]SASL[}] or whatever, see man slapd.access(5)
olcAccess: to attrs=userPassword by * none

--
Hallvard

Follow-Ups:
- Re: Access auth granularity?
  - From: Dora Paula <deepee@gmx.net>
- Re: Access auth granularity?
  - From: Dora Paula <deepee@gmx.net>

References:
- Access auth granularity?
  - From: Dora Paula <deepee@gmx.net>

Prev by Date: Re: Access auth granularity?
Next by Date: Re: Access auth granularity?
Index(es):
- Chronological
- Thread