Hi,
I'm evaluating the migrating of an openldap installation to 389 directory server (ca 1200 user objects). With openldap I can restrict client authentication to ssl/tls ldap connections and in parallel allow anonymous (unencrypted) access to items like phone number etc. (slapd.conf with: "security simple_bind=56")
Is there a way you can do this with 389 directory server?
Regards Johannes
Hi,
2010/1/11 Johannes Woerner jkwoerner@googlemail.com:
Hi,
I'm evaluating the migrating of an openldap installation to 389 directory server (ca 1200 user objects). With openldap I can restrict client authentication to ssl/tls ldap connections and in parallel allow anonymous (unencrypted) access to items like phone number etc. (slapd.conf with: "security simple_bind=56")
Is there a way you can do this with 389 directory server?
Yes. By using ACIs and the features described here : http://directory.fedoraproject.org/wiki/Roadmap#389_Directory_Server_1.2.3_-... An example of an ACI for unauthentified anonymous access (userdn = "ldap:///anyone") :
aci: (targetattr = "objectClass || sn || givenName || uid || cn || displayName || title || mail || ou || departmentNumber || telephoneNumber || facsimileTelephoneNumber || physicalDeliveryOfficeName ") (version 3.0;acl "Enable anonymous read access";allow (read,compare,search)(userdn = "ldap:///anyone") and (ip="127.0.0.1" or ip="10.1.*" or ip="172.16.*" or ip="192.168.*" ");)
More about ACIs : http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Managing_Access_Cont...
@+
I'm evaluating the migrating of an openldap installation to
389 directory server (ca 1200 user objects). With openldap I can restrict client authentication to ssl/tls ldap connections and in parallel allow anonymous (unencrypted) access to items like phone
number etc.
(slapd.conf with: "security simple_bind=56")
Is there a way you can do this with 389 directory server?
Yes. By using ACIs and the features described here :
http://directory.fedoraproject.org/wiki/Roadmap#389_Directory_Server_1.2.3_-...
Thank you, I missed this.
Best regards Johannes
You have also this (starting from version 1.2.1) :
* Add require secure binds switch o This adds a new configuration attribute named nsslapd-require-secure-binds. When enabled, a simple bind will only be allowed over a secure transport (SSL/TLS or a SASL privacy layer). An attempt to do a simple bind over an insecure transport will return a LDAP result of LDAP_CONFIDENTIALITY_REQUIRED. This new setting will not affect anonymous or unauthenticated binds. o The default setting is to have this option disabled.
2010/1/11 Johannes Woerner jkwoerner@googlemail.com:
I'm evaluating the migrating of an openldap installation to
389 directory server (ca 1200 user objects). With openldap I can restrict client authentication to ssl/tls ldap connections and in parallel allow anonymous (unencrypted) access to items like phone number etc. (slapd.conf with: "security simple_bind=56")
Is there a way you can do this with 389 directory server?
Yes. By using ACIs and the features described here :
http://directory.fedoraproject.org/wiki/Roadmap#389_Directory_Server_1.2.3_-...
Thank you, I missed this.
Best regards Johannes
-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
389-users@lists.fedoraproject.org