Hi, really appreciate your help. 1 - Well, users only authenticate their passwords, nothing else, on the client side to login to the server, so I guess anon logins should not be allowed. 2 - I use the Manager account to login to the phplpdapadmin console or apache directory studio. 3 - Password and groups and ppolicy 4 - Using pam on the client side, a human is expected to provide username and password which is working along with the ppolicy, expiration time , password lenght and so on. I can provide how's configured if you want.
Thanks for your time and support Regards 2014-10-28 9:55 GMT-03:00 Andrew Findlay <andrew.find...@skills-1st.co.uk>: > On Mon, Oct 27, 2014 at 03:43:03PM -0300, Net Warrior wrote: > > > Based on the the ACL's I posted from my configuration, what else can you > > recommend to include, tweak or modify? > > As both Michael and Dieter have said, this is very dependent on your > site's requirements and policy. You need to work out what those are. > If you can answer these questions, we might be able to help you some more: > > 1) Should an anonymous user be able to get any data at all? > (Ignore the root entry: we are talking about the subtree > under dc=domain,dc=com here) > > 2) What classes of user should have access to the data? > Examples might be: > > LDAP administrator > Web applications > Desktop addressbook users > Webmail users > Directory synchronisation processes > > 3) For each of the above, what data (entries and attributes) > do they need? > > 4) How will the users authenticate to the LDAP service? > i.e. Will the user DNs and passwords be configured into > the applications, or is the human user expected to supply > a username and password each time? > > Andrew > -- > ----------------------------------------------------------------------- > | From Andrew Findlay, Skills 1st Ltd | > | Consultant in large-scale systems, networks, and directory services | > | http://www.skills-1st.co.uk/ +44 1628 782565 | > ----------------------------------------------------------------------- >
