Tobias Franzén wrote:
Hi.
Is there a way to have a more fine-grained restriction for simple binds rather than just On of Off? Maybe some ACL regexp?
For instance I want to restrict simple bind possibilities to direct children of two or three OU groups, and furthermore I want to restrict the simple binds for the normal users to those with a {SASL} entry in their userPassword (or everyone if it cannot be specified separately).
I'm using the option "password-hash {CLEARTEXT}" and don't want users without a userPassword like "{SASL}<uid>@REALM" to be allowed to do simple binds to the LDAP database. I have a Kerberos realm setup to handle passwords and saslauthd for the password check.
Some applications that I have running are not kerberized. So I can't disable simple binds completely, since these applications still need to do simple binds for authentication.
You might say that simple binds won't be possible if entries don't have a userPassword attribute, but I'd like some better reassurance.
You can use access control on the userPassword attribute. Something like
access to attrs=userPassword by group="ou=Simple Bind" auth by * break
access to attrs=userPassword val.regex="^{SASL}.*" by * auth
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------