From owner-freebsd-doc@FreeBSD.ORG Thu Nov 20 19:01:54 2008 Return-Path: Delivered-To: freebsd-doc@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 19F411065672 for ; Thu, 20 Nov 2008 19:01:54 +0000 (UTC) (envelope-from kurin@delete.org) Received: from lithium.delete.org (lithium.delete.org [198.177.254.210]) by mx1.freebsd.org (Postfix) with ESMTP id E907D8FC12 for ; Thu, 20 Nov 2008 19:01:53 +0000 (UTC) (envelope-from kurin@delete.org) Received: by lithium.delete.org (Postfix, from userid 1028) id 3B7E67E845; Thu, 20 Nov 2008 13:56:07 -0500 (EST) Date: Thu, 20 Nov 2008 13:56:07 -0500 From: Toby Burress To: Dieter Kluenter Message-ID: <20081120185607.GB60958@lithium.delete.org> References: <87iqqifj18.fsf@rubin.l4b.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <87iqqifj18.fsf@rubin.l4b.de> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-doc@freebsd.org Subject: Re: some more errors X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Nov 2008 19:01:54 -0000 On Thu, Nov 20, 2008 at 05:40:03PM +0100, Dieter Kluenter wrote: > Hi, > now reading > http://www.freebsd.org/doc/en/articles/ldap-auth/secure.html > > there are better ways to model this sort of access control (example 8 > and example 9) man slapd.access(5) describes a 'privilege model' that > is more applicable. Your examples are not wrong but only state of the > art in 1998, and OpenLDAP has been developed actively since then. heh, you think that's bad, you should see the tree I inherited in my current job. I'll see if I can rework that section. > > The examaple 10 creating a management group, is absolutely bogus. > The attribute type memberuid has syntax IA5string, but your example > shows attribute values of distinguishedName syntax. I believe that is a result of my understanding of the way pam_ldap handled memberUid on FreeBSD. Basically, if you have a group, and you only want members of that group to be able to auth via PAM, you need the entire DN in that group's memberUid attributes. I show this in 3.1.1 of the article.