On 12/15/2011 12:32 PM, Axel Birndt wrote:
Hi Dieter,
Am 15.12.2011 08:29, schrieb Dieter Klünter:
Now my question:
which minimum acl rights are needed for the Bind User:
"cn=bind,ou=technical,ou=user,dc=2axels-company,dc=de"
to connect to the ldap server and check the group from the user who try to login.
I hope my description is understandable...
http://www.openldap.org/doc/admin24/access-control.html#Sets
Thanks for your answer, which is really very helpful.
In the moment, i have a problem to understand, which actions the binduser has to do, to mediate the Loginuser to the ldapserver.
In my opinion, i should be able to create the acl entry, by myself... but before this, i have to verify what steps the binduser is doing during the login.
PS: In the moment the login through the apache ldap module is working fine, but i would like to limit the rights from this user to the needed minimum.
The bind user has to bind himself (auth access) and must have the rights to search user Objects in your tree (search accesss)
Best thing is to create new a ou with bind users, and there you can specify some specials acl rules with a regex for bind users....
1. bind user authenticate himself on the ldaps server 2. Search the tree with a search filter (Defined in the apache config) 3. Get a user dn back 4. user bind ...