> Evolution does do authentication based on DNs, but the current scheme > doesn't rely on the user typing in the DN (which most users would rather > not remember)... So, we query on the email address they supply and get > the DN for the matching entry, and authenticate based on that. The same > scheme that netscape uses (and I think OE, but I'm not completely > sure...)
OE actually uses the DN to find the matching entry for authentication. > There have been enough complaints from people that don't want to (or > can't) enable anonymous read access on their ldap servers and/or want to > authenticate vs. entries that don't have email addresses though, that > I'm thinking we'll need a way to allow the user to specify the raw DN if > they need to. It would be helpful to have two modes of operation: the "regular user" mode where they type in their email address for authentication, and the "advanced user" mode which expects the raw DN. I have actually been able to configure my LDAP server with limited anonymous read access (only some of the fields in the authentication record are publicly readable). Of course this works only if there are just a handful of users that have authenticated access. Here is the relevant portion of my slapd.conf: # Allow access to the Manager record only to the Manager access to dn="cn=Manager,dc=chawathe,dc=com" by self write by * none # Allow everyone to read enough fields of the authentication record(s) # to initiate the authentication process # Many email/LDAP clients perform authentication based on the value of the # "mail" entry in the authentication record. That's why they need read # access to some of the entries in the record access to dn="cn=Yatin Chawathe,dc=chawathe,dc=com" attr=entry,dn,objectClass,cn,mail by self write by * read # Everyone needs auth permission for the record(s) as well # This allows enough permission to verify # the client's password access to dn="cn=Yatin Chawathe,dc=chawathe,dc=com" by self write by * auth # Evo needs permission to read this to access the schema access to dn="cn=Subschema" by self write by * read # The default access permissions access to * by dn="cn=Manager,dc=chawathe,dc=com" write by dn="cn=Yatin Chawathe,dc=chawathe,dc=com" write by * none Hope this helps, Yatin _______________________________________________ evolution maillist - [EMAIL PROTECTED] http://lists.ximian.com/mailman/listinfo/evolution