[389-users] anonymous access

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Jul 28, 2009 at 2:13 AM, John A. Sullivan
III<jsullivan at opensourcedevel.com> wrote:
> On Mon, 2009-07-27 at 23:29 -0700, Techie wrote:
>> Hello,
>> I am trying to altogether eliminate anonymous access to my directory.
>> However in doing this my authentication fails unless....I add a binddn
>> and bindpw to the ldap.conf on the clients.
>> As I understand it "bindpw" is inappropriate according to the OpenLDAP
>> architects.
>>
>> So my situation right now looks like this. I have a ldap.conf
>> populated with a binddn and bindpw entry.
>> This allows me to remove anonymous access and authenticate to the
>> directory with ldap user credentials.
>> This is what I want, I just do not want to store a username and pass
>> in the ldap.conf file.
>>
>> However if I remove this binddn and bindpw entry, and I disallow
>> anonymous access, I am unable to authenticate against the directory
>> using ldap user credentials. Even though upon attempting to login i am
>> supplying valid LDAP user credentials it cannot find the user because
>> it initially binds as "nobody"  or 'dn=""  in the access log and is
>> unable to locate attributes do to the lack of anonymous access.
>>
>> Is there a way to have LDAP use the credential of the user logging in
>> to bind to the directory initially.
>> What are my options?
>> I can force SASL GSSAPI but it it not ideal in my situation.
>>
> <snip>
> As far as I know (and that's not very far), that's the way it is.  How
> else would the client be able to query the directory.  We made sure we
> did not use a sensitive password and also ensured the ldap.conf file was
> NOT world readable.  We also had to implement some custom ACIs to
> replace anonymous access and, I'm surprised how many applications simply
> assume anonymous access; we had to do a bit of dancing on a per
> application basis to make them work.  Hope this helps - John
> --
> John A. Sullivan III
> Open Source Development Corporation
> +1 207-985-7880
> jsullivan at opensourcedevel.com
>
> http://www.spiritualoutreach.com
> Making Christianity intelligible to secular society
John,
It does help, thank you. Currently I use an account for the binddn
that has only read access to a subset of attributes. not much damage
can be done. I will keep searching and see what I find.

Thanks again
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux