FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Directory

 
 
LinkBack Thread Tools
 
Old 09-18-2012, 07:47 AM
Matti Alho
 
Default ACI and authenticating clients/servers

Hi,

First big thanks for all people developing and maintaining 389ds! I've
been learning LDAP for a while and one question which I haven't been
able to figure out.


There are bunch of Debian servers authenticating against 389ds. I
started with anonymous bind to get the basic setup working. Now I would
like to limit access to 389ds. What is the best/recommended way to
achieve this? I have stuff under ou=Groups,dc=domain,dc=com (e.g.
ou=Sales,ou=Groups,dc=domain,dc=com) which I don't want to be visible
for clients/servers.


* Create an entry under people ou=People,dc=domain,dc=com and use that
for credentials on all servers? Create an ACI based on this?
* Create e.g. ou=Servers,dc=domain,dc=com, put an entry there for each
server separately and create an ACI based on this?


Thanks for answering my probably simple question!

Mr. Matti Alho
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 
Old 09-18-2012, 09:10 AM
Grzegorz Dwornicki
 
Default ACI and authenticating clients/servers

You can create ACI on ou=Groups,dc=domain,dc=com. This ACI can deny search, compare, read of ou=Sales. All ldap clients included in target of this ACI will not see your sales OU. This can be targeted to some users and annonymous bind. Pls look in red hat docs: red hat directory server admin guide.



I'm writing from my phone and it it hard to type complex structues. Later if no one else will help and you will not succed on your own. I will provide example ACI.


Greg.

18 wrz 2012 09:47, "Matti Alho" <listat@alho.fi> napisaƂ(a):
Hi,



First big thanks for all people developing and maintaining 389ds! I've been learning LDAP for a while and one question which I haven't been able to figure out.



There are bunch of Debian servers authenticating against 389ds. I started with anonymous bind to get the basic setup working. Now I would like to limit access to 389ds. What is the best/recommended way to achieve this? I have stuff under ou=Groups,dc=domain,dc=com (e.g. ou=Sales,ou=Groups,dc=domain,dc=com) which I don't want to be visible for clients/servers.




* Create an entry under people ou=People,dc=domain,dc=com and use that for credentials on all servers? Create an ACI based on this?

* Create e.g. ou=Servers,dc=domain,dc=com, put an entry there for each server separately and create an ACI based on this?



Thanks for answering my probably simple question!



Mr. Matti Alho

--

389 users mailing list

389-users@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/389-users
 

Thread Tools




All times are GMT. The time now is 05:23 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org