Hi @All,
currently i'am using a special user
"cn=bind,ou=technical,ou=user,dc=2axels-company,dc=de"
as bind user in my apache.conf file.
----apache.conf------- ..... AuthType basic AuthBasicProvider ldap AuthName "LDAP-geschuetztes Verzeichnis" AuthLDAPUrl "ldap://localhost:389/ou=user,dc=2axels-company,dc=de?cn?sub" AuthLDAPBindDN "cn=bind,ou=technical,ou=user,dc=2axels-company,dc=de" # it doesn't work, if the bind password is encrypted... isn't it ?? #AuthLDAPBindPassword {SHA}pfiSFDDFSAAE$$%j8BTtCUqs9IZWsQ= # Because this, the password is currently used as an unencrypted one: AuthLDAPBindPassword xxxxxxxxxxx Require ldap-group cn=awstats,ou=groups,dc=2axels-company,dc=de .... ----------------------------------
Now my question:
which minimum acl rights are needed for the Bind User:
"cn=bind,ou=technical,ou=user,dc=2axels-company,dc=de"
to connect to the ldap server and check the group from the user who try to login.
I hope my description is understandable...
Thanks and regards
Axel
Am Wed, 14 Dec 2011 21:36:58 +0100 schrieb Axel Birndt towerlexa@gmx.de:
Hi @All,
currently i'am using a special user
"cn=bind,ou=technical,ou=user,dc=2axels-company,dc=de"
as bind user in my apache.conf file.
[...]
Now my question:
which minimum acl rights are needed for the Bind User:
"cn=bind,ou=technical,ou=user,dc=2axels-company,dc=de"
to connect to the ldap server and check the group from the user who try to login.
I hope my description is understandable...
http://www.openldap.org/doc/admin24/access-control.html#Sets
-Dieter
Hi Dieter,
Am 15.12.2011 08:29, schrieb Dieter Klünter:
Now my question:
which minimum acl rights are needed for the Bind User:
"cn=bind,ou=technical,ou=user,dc=2axels-company,dc=de"
to connect to the ldap server and check the group from the user who try to login.
I hope my description is understandable...
http://www.openldap.org/doc/admin24/access-control.html#Sets
Thanks for your answer, which is really very helpful.
In the moment, i have a problem to understand, which actions the binduser has to do, to mediate the Loginuser to the ldapserver.
In my opinion, i should be able to create the acl entry, by myself... but before this, i have to verify what steps the binduser is doing during the login.
PS: In the moment the login through the apache ldap module is working fine, but i would like to limit the rights from this user to the needed minimum.
On 12/15/2011 12:32 PM, Axel Birndt wrote:
Hi Dieter,
Am 15.12.2011 08:29, schrieb Dieter Klünter:
Now my question:
which minimum acl rights are needed for the Bind User:
"cn=bind,ou=technical,ou=user,dc=2axels-company,dc=de"
to connect to the ldap server and check the group from the user who try to login.
I hope my description is understandable...
http://www.openldap.org/doc/admin24/access-control.html#Sets
Thanks for your answer, which is really very helpful.
In the moment, i have a problem to understand, which actions the binduser has to do, to mediate the Loginuser to the ldapserver.
In my opinion, i should be able to create the acl entry, by myself... but before this, i have to verify what steps the binduser is doing during the login.
PS: In the moment the login through the apache ldap module is working fine, but i would like to limit the rights from this user to the needed minimum.
The bind user has to bind himself (auth access) and must have the rights to search user Objects in your tree (search accesss)
Best thing is to create new a ou with bind users, and there you can specify some specials acl rules with a regex for bind users....
1. bind user authenticate himself on the ldaps server 2. Search the tree with a search filter (Defined in the apache config) 3. Get a user dn back 4. user bind ...
Axel,
Axel Birndt schrieb (14.12.2011 21:36 Uhr):
----apache.conf------- ..... AuthType basic AuthBasicProvider ldap AuthName "LDAP-geschuetztes Verzeichnis" AuthLDAPUrl "ldap://localhost:389/ou=user,dc=2axels-company,dc=de?cn?sub" AuthLDAPBindDN "cn=bind,ou=technical,ou=user,dc=2axels-company,dc=de" # it doesn't work, if the bind password is encrypted... isn't it ?? #AuthLDAPBindPassword {SHA}pfiSFDDFSAAE$$%j8BTtCUqs9IZWsQ= # Because this, the password is currently used as an unencrypted one: AuthLDAPBindPassword xxxxxxxxxxx Require ldap-group cn=awstats,ou=groups,dc=2axels-company,dc=de ....
Now my question:
which minimum acl rights are needed for the Bind User:
"cn=bind,ou=technical,ou=user,dc=2axels-company,dc=de"
to connect to the ldap server and check the group from the user who try to login.
When I understand your apache config right, you - enter values of cn attributes to your http auth - the objects to these cn values are in ou=user,dc=2axels-company,dc=de - allowed users are in a ldap group cn=awstats,ou=groups,dc=2axels-company,dc=de
So apache must be able to - search for cn attributes in ou=user,dc=2axels-company,dc=de, - authenticate with an object in ou=user,dc=2axels-company,dc=de and - read the members of cn=awstats,ou=groups,dc=2axels-company,dc=de (You should see from your slapd log, if there are any other actions from apache like searching for groups etc.)
While you want to protect these information for anonymous access you decided to take a bind user cn=bind,ou=technical,ou=user,dc=2axels-company,dc=de. So all the rights above have to be granted to this user.
Marc
openldap-technical@openldap.org
-
Axel Birndt -
Dieter Klünter -
Marc Patermann -
Raffael Sahli