On Mon, 2009-07-27 at 23:29 -0700, Techie wrote:
Hello,
I am trying to altogether eliminate anonymous access to my directory.
However in doing this my authentication fails unless....I add a binddn
and bindpw to the ldap.conf on the clients.
As I understand it "bindpw" is inappropriate according to the OpenLDAP
architects.
So my situation right now looks like this. I have a ldap.conf
populated with a binddn and bindpw entry.
This allows me to remove anonymous access and authenticate to the
directory with ldap user credentials.
This is what I want, I just do not want to store a username and pass
in the ldap.conf file.
However if I remove this binddn and bindpw entry, and I disallow
anonymous access, I am unable to authenticate against the directory
using ldap user credentials. Even though upon attempting to login i am
supplying valid LDAP user credentials it cannot find the user because
it initially binds as "nobody" or 'dn="" in the access log and
is
unable to locate attributes do to the lack of anonymous access.
Is there a way to have LDAP use the credential of the user logging in
to bind to the directory initially.
What are my options?
I can force SASL GSSAPI but it it not ideal in my situation.
<snip>
As far as I know (and that's not very far), that's the way it is. How
else would the client be able to query the directory. We made sure we
did not use a sensitive password and also ensured the ldap.conf file was
NOT world readable. We also had to implement some custom ACIs to
replace anonymous access and, I'm surprised how many applications simply
assume anonymous access; we had to do a bit of dancing on a per
application basis to make them work. Hope this helps - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan(a)opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society