Date: Thu, 20 Nov 2008 13:56:07 -0500 From: Toby Burress <kurin@delete.org> To: Dieter Kluenter <dieter@dkluenter.de> Cc: freebsd-doc@freebsd.org Subject: Re: some more errors Message-ID: <20081120185607.GB60958@lithium.delete.org> In-Reply-To: <87iqqifj18.fsf@rubin.l4b.de> References: <87iqqifj18.fsf@rubin.l4b.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Nov 20, 2008 at 05:40:03PM +0100, Dieter Kluenter wrote: > Hi, > now reading > http://www.freebsd.org/doc/en/articles/ldap-auth/secure.html > > there are better ways to model this sort of access control (example 8 > and example 9) man slapd.access(5) describes a 'privilege model' that > is more applicable. Your examples are not wrong but only state of the > art in 1998, and OpenLDAP has been developed actively since then. heh, you think that's bad, you should see the tree I inherited in my current job. I'll see if I can rework that section. > > The examaple 10 creating a management group, is absolutely bogus. > The attribute type memberuid has syntax IA5string, but your example > shows attribute values of distinguishedName syntax. I believe that is a result of my understanding of the way pam_ldap handled memberUid on FreeBSD. Basically, if you have a group, and you only want members of that group to be able to auth via PAM, you need the entire DN in that group's memberUid attributes. I show this in 3.1.1 of the article.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20081120185607.GB60958>