<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 03/11/2012 11:02 PM, MATON Brett wrote:
<blockquote cite="mid:201203120612.q2C6CnJE022933@mx1.redhat.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 12 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New","serif";
color:black;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";
color:black;}
span.EmailStyle18
{mso-style-type:personal;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;
color:black;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";
color:black;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif][if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
was blind, and now I can see! (Life of Brian)<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks
Nathan,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size: 11pt; font-family:
"Calibri","sans-serif"; color: rgb(31,
73, 125);"> Is that documented anywhere?</span></p>
</div>
</blockquote>
<br>
<a class="moz-txt-link-freetext" href="http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnconfig">http://docs.redhat.com/docs/en-US/Red_Hat_Directory_Server/9.0/html/Configuration_Command_and_File_Reference/Core_Server_Configuration_Reference.html#cnconfig</a><br>
<blockquote cite="mid:201203120612.q2C6CnJE022933@mx1.redhat.com"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Brett<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US"> Nathan Kinder [<a class="moz-txt-link-freetext" href="mailto:nkinder@redhat.com">mailto:nkinder@redhat.com</a>]
<br>
<b>Sent:</b> 09 March 2012 17:03<br>
<b>To:</b> General discussion list for the 389 Directory
server project.<br>
<b>Cc:</b> MATON Brett<br>
<b>Subject:</b> Re: [389-users] Solaris 10 Clients
without anonymous binds<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">On 03/09/2012 04:27 AM, MATON Brett wrote:
<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi
Carsten,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
I found a solution to my problem.</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
I edited dse.ldif and set</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">require_secure_binds:
on</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">allow_anonymous_access:
on (<- this is the default, I did have it set off which
works fine with openldap clients).</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
then deleted the “Enable anonymous access” ACI:</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">aci:
(targetattr != "userPassword") (version 3.0;acl "Enable
anonymous access";allow (read,compare,search)(userdn = <a
moz-do-not-send="true" href="ldap://anyone">"ldap:///anyone"</a>);)</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">and
added</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">aci:
(targetattr = "*") (version 3.0;acl "Allow Bound
Users";allow (read,compare,search,selfwrite)(userdn = <a
moz-do-not-send="true" href="ldap://all">"ldap:///all"</a>);)</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">It
would appear that the dse.ldif option
“allow_anonymous_binds: off” stops all anonymous binds to
anything, including the rootdse.</span><o:p></o:p></p>
<p class="MsoNormal">Your observation is correct, but there is a
third setting for nsslapd-allow-anonymous-access. If you set
it's value to "rootdse", it will only allow anonymous access
to the root DSE. Anonymous access to anything else will be
denied.<br>
<br>
<o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks
for your help all the same,</span><o:p></o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Brett</span><o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="EN-US"> <a moz-do-not-send="true"
href="mailto:389-users-bounces@lists.fedoraproject.org">389-users-bounces@lists.fedoraproject.org</a>
[<a moz-do-not-send="true"
href="mailto:389-users-bounces@lists.fedoraproject.org">mailto:389-users-bounces@lists.fedoraproject.org</a>]
<b>On Behalf Of </b>Carsten Grzemba<br>
<b>Sent:</b> 09 March 2012 11:18<br>
<b>To:</b> General discussion list for the 389 Directory
server project.<br>
<b>Subject:</b> Re: [389-users] Solaris 10 Clients without
anonymous binds</span><o:p></o:p></p>
</div>
<p class="MsoNormal"> <o:p></o:p></p>
<p class="MsoNormal">ldapmodify -a -f <ldif> -D ...<br>
is more recommended and<br>
it not possible to put this aci in the dse.ldif directly.<br>
<br>
Am 09.03.12, schrieb <b>MATON Brett </b><<a
moz-do-not-send="true" href="mailto:Brett.Maton@nrb.be">Brett.Maton@nrb.be</a>>:<o:p></o:p></p>
<div>
<table class="MsoNormalTable" border="0" cellpadding="0">
<tbody>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt">
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks
again Carsten,</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
To put the ACI’s in the root do I need to edit
/etc/dirsrv/slapd<instance>/dse.ldif and
add them there, or simply do an ldapadd ?</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks
Brett</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
<div style="border:none;border-top:solid windowtext
1.0pt;padding:3.0pt 0cm 0cm
0cm;border-color:-moz-use-text-color
-moz-use-text-color;-moz-border-top-colors:
none;-moz-border-right-colors:
none;-moz-border-bottom-colors:
none;-moz-border-left-colors:
none;-moz-border-image: none">
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="EN-US"> <a moz-do-not-send="true"
href="mailto:389-users-bounces@lists.fedoraproject.org">389-users-bounces@lists.fedoraproject.org</a>
[<a moz-do-not-send="true"
href="mailto:389-users-bounces@lists.fedoraproject.org">mailto:389-users-bounces@lists.fedoraproject.org</a>]
<b>On Behalf Of </b>Carsten Grzemba<br>
<b>Sent:</b> 09 March 2012 09:51<br>
<b>To:</b> General discussion list for the 389
Directory server project.<br>
<b>Subject:</b> Re: [389-users] Solaris 10
Clients without anonymous binds</span><o:p></o:p></p>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hi,<br>
<br>
so far I know the access to the nisdomain
attribute is only necessary for the Solaris LDAP
Client so that it can pull and refresh the
configuration profile from LDAP-Server (refresh
after TTL is expired (default 1d)). It is a marker
that where the nisdomain value matched, is the
right namingContex/BaseDN for search the profile.
The profile is located commonly in the ou=profile
container and has the
objectclass=DUAConfigProfile.<br>
<br>
But the ACI should be placed on the root entry
dc=example,dc=com.<br>
<br>
If you want to use the LDAP server Profile concept
for Solaris Clients you can run
/usr/lib/ldap/idsconfig. <br>
There you must adjust the version checking, so
that 389DS matches DS 5.2. <br>
<br>
Am 09.03.12, schrieb <b>MATON Brett </b><<a
moz-do-not-send="true"
href="mailto:Brett.Maton@nrb.be">Brett.Maton@nrb.be</a>>:<o:p></o:p></p>
<div>
<table class="MsoNormalTable" border="0"
cellpadding="0">
<tbody>
<tr>
<td style="padding:.75pt .75pt .75pt .75pt">
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
came across this link </span><a
moz-do-not-send="true"
href="https://blogs.oracle.com/jo/entry/anonymous_access_and_solaris_native"
target="1">https://blogs.oracle.com/jo/entry/anonymous_access_and_solaris_native</a><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Which
mentions adding the following ACL’s:</span><o:p></o:p></p>
<p class="MsoNormal"
style="margin-top:7.5pt;mso-margin-bottom-alt:auto;line-height:13.5pt;background:white;background-position-x:0%;background-position-y:0%;background-attachment:scroll"><span
style="font-size:9.0pt;font-family:"Arial","sans-serif";color:red">the
baseDN</span><span
style="font-size:9.0pt;font-family:"Arial","sans-serif";color:#555555">-
(target = <a moz-do-not-send="true"
href="ldap://dc=example,dc=com">ldap:///dc=example,dc=com</a>)
(targetscope = base)
(targetattr="\*") (version 3.0; acl
"anonymousBaseDN"; allow (read,
compare, search) (userdn = <a
moz-do-not-send="true"
href="ldap://anyone">"ldap:///anyone"</a>)
;) .</span><o:p></o:p></p>
<p class="MsoNormal"
style="margin-top:7.5pt;mso-margin-bottom-alt:auto;line-height:13.5pt;background:white;background-position-x:0%;background-position-y:0%;background-attachment:scroll"><i><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#555555">For
super secure access, this aci
could be modified thus to only
allow access to the</span></i><b><i><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:fuchsia">nisDomain</span></i></b><i><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#555555">attribute</span></i><o:p></o:p></p>
<p class="MsoNormal"
style="margin-top:7.5pt;mso-margin-bottom-alt:auto;line-height:13.5pt;background:white;background-position-x:0%;background-position-y:0%;background-attachment:scroll"><i><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#555555">(target
= <a moz-do-not-send="true"
href="ldap://dc=example,dc=com">ldap:///dc=example,dc=com</a>)
(targetscope = base) (targetattr="</span></i><b><i><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:fuchsia">nisdomain</span></i></b><i><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#555555">")
(version 3.0; acl
"anonymousBaseDN"; allow (read,
compare, search) (userdn = <a
moz-do-not-send="true"
href="ldap://anyone">"ldap:///anyone"</a>)
;) .</span></i><o:p></o:p></p>
<p class="MsoNormal"
style="margin-top:7.5pt;mso-margin-bottom-alt:auto;line-height:13.5pt;background:white;background-position-x:0%;background-position-y:0%;background-attachment:scroll"><span
style="font-size:9.0pt;font-family:"Arial","sans-serif";color:blue">the
profile container</span><span
style="font-size:9.0pt;font-family:"Arial","sans-serif";color:#555555">-
(target = <a moz-do-not-send="true"
href="ldap://ou=profile,dc=example,dc=com">"ldap:///ou=profile,dc=example,dc=com"</a>)
(targetscope = subtree)
(targetattr="\*") (version 3.0; acl
"anonymousProfile"; allow
(read,compare,search) (userdn = <a
moz-do-not-send="true"
href="ldap://anyone">"ldap:///anyone"</a>)
;)</span><o:p></o:p></p>
<p class="MsoNormal"
style="margin-top:7.5pt;mso-margin-bottom-alt:auto;line-height:13.5pt;background:white;background-position-x:0%;background-position-y:0%;background-attachment:scroll"><i><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#555555">For
super secure access, this aci
could be modified thus to only
allow access to the</span></i><b><i><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#99284C">proxyagent
user</span></i></b><i><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#555555">object</span></i><o:p></o:p></p>
<p class="MsoNormal"
style="margin-top:7.5pt;mso-margin-bottom-alt:auto;line-height:13.5pt;background:white;background-position-x:0%;background-position-y:0%;background-attachment:scroll"><i><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#555555">(target
= "<a moz-do-not-send="true"
href="ldap://">ldap:///</a></span></i><b><i><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#99284C">cn=proxyagent,ou=profile</span></i></b><i><span
style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#555555">,dc=example,dc=com")
(targetscope = subtree)
(targetattr="\*") (version 3.0;
acl "anonymousProfile"; allow
(all) (userdn = <a
moz-do-not-send="true"
href="ldap://anyone">"ldap:///anyone"</a>)
;)</span></i><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
just can’t figure out where to put
them, any help appreciated!</span><o:p></o:p></p>
<div>
<div
style="border:none;border-top:solid
windowtext 1.0pt;padding:3.0pt 0cm
0cm
0cm;border-color:-moz-use-text-color;-moz-border-top-colors:
none;-moz-border-right-colors:
none;-moz-border-bottom-colors:
none;-moz-border-left-colors:
none;-moz-border-image: none">
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="EN-US"> <a
moz-do-not-send="true"
href="mailto:389-users-bounces@lists.fedoraproject.org">389-users-bounces@lists.fedoraproject.org</a>
[<a moz-do-not-send="true"
href="mailto:389-users-bounces@lists.fedoraproject.org">mailto:389-users-bounces@lists.fedoraproject.org</a>]
<b>On Behalf Of </b>MATON Brett<br>
<b>Sent:</b> 08 March 2012 14:39<br>
<b>To:</b> General discussion
list for the 389 Directory
server project.<br>
<b>Subject:</b> Re: [389-users]
Solaris 10 Clients without
anonymous binds</span><o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi
Carsten,</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
I’ll give it ago, thanks.</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Brett</span><o:p></o:p></p>
<div style="border:none;border-top:solid
windowtext 1.0pt;padding:3.0pt 0cm 0cm
0cm;border-color:-moz-use-text-color;-moz-border-top-colors:
none;-moz-border-right-colors:
none;-moz-border-bottom-colors:
none;-moz-border-left-colors:
none;-moz-border-image: none">
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""
lang="EN-US"> <a
moz-do-not-send="true"
href="mailto:389-users-bounces@lists.fedoraproject.org">389-users-bounces@lists.fedoraproject.org</a>
[<a moz-do-not-send="true"
href="mailto:389-users-bounces@lists.fedoraproject.org">mailto:389-users-bounces@lists.fedoraproject.org</a>]
<b>On Behalf Of </b>Carsten
Grzemba<br>
<b>Sent:</b> 08 March 2012 14:34<br>
<b>To:</b> General discussion list
for the 389 Directory server
project.<br>
<b>Subject:</b> Re: [389-users]
Solaris 10 Clients without
anonymous binds</span><o:p></o:p></p>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hi,<br>
<br>
I guess it must be able for the
Solaris client to read at least the
base so the client can see the
supported features:<br>
# ldapsearch -h <ldapserver> -b
"" -s base objectclass="*"<br>
should return the supportedcontrols,
etc.<br>
<br>
<br>
Am 08.03.12, schrieb <b>MATON Brett </b><<a
moz-do-not-send="true"
href="mailto:Brett.Maton@nrb.be">Brett.Maton@nrb.be</a>>:<o:p></o:p></p>
<div>
<table class="MsoNormalTable"
border="0" cellpadding="0">
<tbody>
<tr>
<td style="padding:.75pt .75pt
.75pt .75pt">
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I’ve
got some hosts using
Solaris 10<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Courier
New","serif"">cat /etc/release</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Courier
New","serif""> Solaris 10 10/09
s10s_u8wos_08a SPARC</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Courier
New","serif""> Copyright 2009 Sun Microsystems,
Inc. All Rights
Reserved.</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Courier
New","serif""> Use is subject to
license terms.</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Courier
New","serif""> Assembled 16
September 2009</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Which
I’ve configured with
ldapclient manual (failed
miserably until I allowed
anonymous binds in
dse.ldif).<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Courier
New","serif"">ldapclient manual -vv \</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Courier
New","serif"">-a defaultSearchBase=<blah> \</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Courier
New","serif"">-a defaultSearchScope=sub \</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Courier
New","serif"">-a authenticationMethod=tls:simple \</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Courier
New","serif"">-a credentialLevel=proxy \</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Courier
New","serif"">-a proxyDN=cn=ldapsearch,cn=config \</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Courier
New","serif"">-a proxyPassword=<blah> \</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Courier
New","serif"">-a
serviceAuthenticationMethod=pam_ldap:tls:simple
\</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Courier
New","serif"">-a domainName=<blah> \</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Courier
New","serif"">-a certificatePath=/var/ldap \</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Courier
New","serif"">-a
serviceSearchDescriptor=group:ou=Groups,<blah>
<389 server></span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">If
I turn anonymous binds off
once the client is
configured, it fails to
connect because the
Solaris client is still
insisting on making
anonymous binds.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I’m
getting these in my access
log:<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Courier
New","serif"">[08/Mar/2012:15:04:49 +0100] conn=1 fd=64
slot=64 SSL connection
from <Solaris 10>
to <389 DS></span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Courier
New","serif"">[08/Mar/2012:15:04:49 +0100] conn=1 SSL
128-bit RC4</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Courier
New","serif"">[08/Mar/2012:15:04:49 +0100] conn=1 op=0
UNPROCESSED OPERATION -
Anonymous access not
allowed</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Courier
New","serif"">[08/Mar/2012:15:04:49 +0100] conn=1 op=0
RESULT err=48 tag=101
nentries=0 etime=0</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Courier
New","serif"">[08/Mar/2012:15:04:49 +0100] conn=1 op=1
UNBIND</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span
style="font-size:10.0pt;font-family:"Courier
New","serif"">[08/Mar/2012:15:04:49 +0100] conn=1 op=1
fd=64 closed - U1</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Anyone
come across this before
and have a solution? I
really don’t want to have
to allow anonymous
binds...<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> Brett<o:p></o:p></p>
</div>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<p><span
style="font-size:7.0pt;font-family:"Verdana","sans-serif";color:gray">-------------------------------------------------------------------</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#669933">GreeNRB<br>
</span></b><i><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#669933">NRB
considers its environmental
responsibility and goes for green
IT.</span></i><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#669933">
<br>
<i>May we ask you to consider yours
before printing this e-mail? </i><b> </b></span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#000066">NRB,
daring to commit <br>
</span></b><i><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#000066">This
e-mail and any attachments, which
may contain information that is
confidential and/or protected by
intellectual property rights, are
intended for the exclusive use of
the above-mentioned addressee(s).
Any use (including reproduction,
disclosure and whole or partial
distribution in any form
whatsoever) of their content is
prohibited without prior
authorization of NRB. If you have
received this message by error,
please contact the sender promptly
by resending this e-mail back to
him (her), or by calling the above
number. Thank you for subsequently
deleting this e-mail and any files
attached thereto.</span></i><o:p></o:p></p>
</div>
<p><span
style="font-size:7.0pt;font-family:"Verdana","sans-serif";color:gray">-------------------------------------------------------------------</span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#669933">GreeNRB<br>
</span></b><i><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#669933">NRB
considers its environmental
responsibility and goes for green
IT.</span></i><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#669933">
<br>
<i>May we ask you to consider yours
before printing this e-mail? </i></span><span
style="color:gray"> </span><o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#000066">NRB,
daring to commit <br>
</span></b><i><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#000066">This
e-mail and any attachments, which
may contain information that is
confidential and/or protected by
intellectual property rights, are
intended for the exclusive use of
the above-mentioned addressee(s).
Any use (including reproduction,
disclosure and whole or partial
distribution in any form whatsoever)
of their content is prohibited
without prior authorization of NRB.
If you have received this message by
error, please contact the sender
promptly by resending this e-mail
back to him (her), or by calling the
above number. Thank you for
subsequently deleting this e-mail
and any files attached thereto.</span></i><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
</div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">--<o:p></o:p></p>
</div>
<p><span
style="font-size:7.0pt;font-family:"Verdana","sans-serif";color:gray">-------------------------------------------------------------------</span><o:p></o:p></p>
<p class="MsoNormal"><b><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#669933">GreeNRB<br>
</span></b><i><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#669933">NRB
considers its environmental responsibility and
goes for green IT.</span></i><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#669933">
<br>
<i>May we ask you to consider yours before
printing this e-mail? </i></span><span
style="color:gray"> </span><o:p></o:p></p>
<p class="MsoNormal"><b><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#000066">NRB,
daring to commit <br>
</span></b><i><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#000066">This
e-mail and any attachments, which may contain
information that is confidential and/or
protected by intellectual property rights, are
intended for the exclusive use of the
above-mentioned addressee(s). Any use (including
reproduction, disclosure and whole or partial
distribution in any form whatsoever) of their
content is prohibited without prior
authorization of NRB. If you have received this
message by error, please contact the sender
promptly by resending this e-mail back to him
(her), or by calling the above number. Thank you
for subsequently deleting this e-mail and any
files attached thereto.</span></i><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<p><span
style="font-size:7.0pt;font-family:"Verdana","sans-serif";color:gray">-------------------------------------------------------------------</span><span
style="color:gray"><o:p></o:p></span></p>
<p class="MsoNormal"><strong><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#669933">GreeNRB</span></strong><b><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#669933"><br>
</span></b><em><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#669933">NRB
considers its environmental responsibility and goes for
green IT.</span></em><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#669933">
<br>
<i>May we ask you to consider yours before printing this
e-mail? </i><b> </b></span> <o:p></o:p></p>
<p class="MsoNormal"><b><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#000066">NRB,
daring to commit <br>
</span></b><i><span
style="font-size:7.5pt;font-family:"Tahoma","sans-serif";color:#000066">This
e-mail and any attachments, which may contain information
that is confidential and/or protected by intellectual
property rights, are intended for the exclusive use of the
above-mentioned addressee(s). Any use (including
reproduction, disclosure and whole or partial distribution
in any form whatsoever) of their content is prohibited
without prior authorization of NRB. If you have received
this message by error, please contact the sender promptly
by resending this e-mail back to him (her), or by calling
the above number. Thank you for subsequently deleting this
e-mail and any files attached thereto.</span></i><o:p></o:p></p>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>--<o:p></o:p></pre>
<pre>389 users mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:389-users@lists.fedoraproject.org">389-users@lists.fedoraproject.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="https://admin.fedoraproject.org/mailman/listinfo/389-users">https://admin.fedoraproject.org/mailman/listinfo/389-users</a><o:p></o:p></pre>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<!--DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"-->
<meta name="GENERATOR" content="TX_HTML32 11.0.211.501">
<span style="FONT-FAMILY: 'Verdana'; COLOR: #808080; FONT-SIZE:
7pt">
<p><span style="FONT-FAMILY: 'Verdana'; COLOR: #808080;
FONT-SIZE: 7pt">-------------------------------------------------------------------</span></p>
<span style="FONT-FAMILY: 'Verdana'; COLOR: #808080; FONT-SIZE:
6pt">
<p style="MARGIN: 0cm 0cm 0pt" class="MsoNormal"><font
face="tahoma,arial,helvetica,sans-serif"><font size="1"><font
color="#669933"><span style="FONT-FAMILY: "
lang="EN-GB"><strong>GreeNRB<br>
</strong><em>NRB considers its environmental
responsibility and goes for green IT.</em> <br>
</span><i><span style="FONT-FAMILY: " lang="EN-GB">May
we ask you to consider yours before printing this
e-mail? </span></i><b><span style="FONT-FAMILY: "
lang="EN-GB"> </span></b></font></font></font> </p>
<p style="MARGIN: 0cm 0cm 0pt" class="MsoNormal"><font
face="tahoma,arial,helvetica,sans-serif"><font size="1"><font
color="#000066"><b><span style="FONT-FAMILY: "
lang="EN-GB">NRB, daring to commit <br>
</span></b><i><span style="FONT-FAMILY: "
lang="EN-GB">This e-mail and any attachments,
which may contain information that is confidential
and/or protected by intellectual property rights,
are intended for the exclusive use of the
above-mentioned addressee(s). Any use (including
reproduction, disclosure and whole or partial
distribution in any form whatsoever) of their
content is prohibited without prior authorization
of NRB. If you have received this message by
error, please contact the sender promptly by
resending this e-mail back to him (her), or by
calling the above number. Thank you for
subsequently deleting this e-mail and any files
attached thereto.</span></i></font></font></font></p>
</span></span>
</blockquote>
<br>
</body>
</html>