I prefer to define specific access like :
Reader anonymous can only auth,
user after authentification can read and modify
And i don't want to enter the cn=admin user password into client software,
so i try to create a cn=redmine-user which i can use to bind with redmine
ldap authentification, and which have right to write only a group
ou=redmine .
Desactivate the anonymous Bind globally :
dn: cn=config
changetype: modify
add: olcDisallows
olcDisallows: bind_anon
To force authentification globaly :
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcRequires
olcRequires: authc
Or here an equivalent with ACL ? (but i don't see the difference between
this two type of configuration ... )
olcaccess: to attrs=userPassword
by self read
by anonymous auth
by * none
And after i need to make an ACL to authorize my cn=redmine-user to write
only a group ou=redmine, but i have no idea to write this.
What do you think about that ?
Thanks, best regards,
Sr
On Sun, Dec 11, 2011 at 8:18 AM, Dieter Klünter <[email protected]> wrote:
> Am Sat, 10 Dec 2011 14:14:58 +0100
> schrieb rey sebastien <[email protected]>:
>
> > Hello,
> >
> > I search some information to make reader-only users on my openLDAP ..
> >
> > I have already cn=reader-only, and my dn equal
> > "dc=parisgeo,dc=cnrs,dc=fr"
> >
> > How can i create a .ldif with specific configuration to remove
> > anonymous user reading, and authorize the read of my ldap only with
> > the cn=reader-only authentification ?
>
> you may either make use of the database specific configuration
> parameter 'olcReadOnly: TRUE' as described in man slapd-config(5) or
> define an appropriate access rule, see man slapd-access(5) for further
> information.
>
>
> -Dieter
>
> --
> Dieter Klünter | Systemberatung
> http://dkluenter.de
> GPG Key ID:DA147B05
> 53°37'09,95"N
> 10°08'02,42"E
>
>
--
<http://stackoverflow.com/users/385881/reyman64>
