On 12/15/2011 12:32 PM, Axel Birndt wrote:
Hi Dieter,
Am 15.12.2011 08:29, schrieb Dieter Klünter:
Now my question:
>
> which minimum acl rights are needed for the Bind User:
>
> "cn=bind,ou=technical,ou=user,dc=2axels-company,dc=de"
>
> to connect to the ldap server and check the group from the user who
> try to login.
>
> I hope my description is understandable...
http://www.openldap.org/doc/admin24/access-control.html#Sets
Thanks for your answer, which is really very helpful.
In the moment, i have a problem to understand, which actions the
binduser has to do, to mediate the Loginuser to the ldapserver.
In my opinion, i should be able to create the acl entry, by myself...
but before this, i have to verify what steps the binduser is doing
during the login.
PS: In the moment the login through the apache ldap module is working
fine, but i would like to limit the rights from this user to the
needed minimum.
The bind user has to bind himself (auth access) and must have the rights
to search user Objects in your tree (search accesss)
Best thing is to create new a ou with bind users, and there you can
specify some specials acl rules with a regex for bind users....
1. bind user authenticate himself on the ldaps server
2. Search the tree with a search filter (Defined in the apache config)
3. Get a user dn back
4. user bind
...
--
Raffael Sahli
[email protected]
Switzerland
