Re: [389-users] require ssl/tls only for binding as user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

2010/1/11 Johannes Woerner <jkwoerner@xxxxxxxxxxxxxx>:
> Hi,
>
> I'm evaluating the migrating of an openldap installation to
> 389 directory server (ca 1200 user objects).
> With openldap I can restrict client authentication to ssl/tls ldap
> connections and
> in parallel allow anonymous (unencrypted) access to items like phone number etc.
> (slapd.conf with: "security simple_bind=56")
>
> Is there a way you can do this with 389 directory server?
Yes. By using ACIs and the features described here :
http://directory.fedoraproject.org/wiki/Roadmap#389_Directory_Server_1.2.3_-_October_7.2C_2009
An example of an ACI for unauthentified anonymous access (userdn =
"ldap:///anyone";) :

aci: (targetattr = "objectClass || sn || givenName || uid || cn ||
displayName || title || mail || ou || departmentNumber ||
telephoneNumber || facsimileTelephoneNumber ||
physicalDeliveryOfficeName ") (version 3.0;acl "Enable anonymous read
access";allow (read,compare,search)(userdn = "ldap:///anyone";) and
(ip="127.0.0.1" or ip="10.1.*" or ip="172.16.*" or ip="192.168.*" ");)

More about ACIs :
http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Managing_Access_Control.html


@+
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux