From owner-freebsd-hackers@FreeBSD.ORG  Thu May 24 15:48:34 2007
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
X-Original-To: freebsd-hackers@freebsd.org
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 38D0216A41F
	for <freebsd-hackers@freebsd.org>; Thu, 24 May 2007 15:48:34 +0000 (UTC)
	(envelope-from mohacsi@niif.hu)
Received: from mail.ki.iif.hu (mail.ki.iif.hu [193.6.222.241])
	by mx1.freebsd.org (Postfix) with ESMTP id EBB8313C45E
	for <freebsd-hackers@freebsd.org>; Thu, 24 May 2007 15:48:31 +0000 (UTC)
	(envelope-from mohacsi@niif.hu)
Received: by mail.ki.iif.hu (Postfix, from userid 1003)
	id 5A6975659; Thu, 24 May 2007 17:48:30 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by mail.ki.iif.hu (Postfix) with ESMTP id 584365656;
	Thu, 24 May 2007 17:48:30 +0200 (CEST)
Date: Thu, 24 May 2007 17:48:30 +0200 (CEST)
From: Mohacsi Janos <mohacsi@niif.hu>
X-X-Sender: mohacsi@mignon.ki.iif.hu
To: Michael Bushkov <bushman@freebsd.org>
In-Reply-To: <465566A9.7040507@freebsd.org>
Message-ID: <20070524174123.S19560@mignon.ki.iif.hu>
References: <20070524112217.N166@mignon.ki.iif.hu>
	<465566A9.7040507@freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Cc: freebsd-hackers@freebsd.org
Subject: Re: nss_ldap without nscd or cached ?
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
	<freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>, 
	<mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
	<mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 24 May 2007 15:48:34 -0000

Hi Michael,

On Thu, 24 May 2007, Michael Bushkov wrote:

> Hello Mohacsi,
>
>> 
>> Other solution(?) would be to limit binddn access to read-only (also 
>> limiting access only few attributes in LDAP) then exposing the bindpw would 
>> not create big problem. However maintenance of LDAP ACI-s could be 
>> difficult: nss_ldap attribute mapping and attribute usage should be 
>> documented....
>
> I think, that limiting binddn access to readonly is the best practice whether 
> you use nscd/cached or not. BTW, what kind of documentation do you need? I 
> can possibly provide the necessary information.

I am curious only which ldap attributes will be used.... I would give 
access only those attributes in our LDAP servers which is necessary....

Thanks for your answer.

Regards,

Janos Mohacsi
Network Engineer, Research Associate, Head of Network Planning and Projects
NIIF/HUNGARNET, HUNGARY
Key 70EF9882: DEC2 C685 1ED4 C95A 145F  4300 6F64 7B00 70EF 9882