Yes, actualy thats exactly what I intended to do. I tried implementing the acls and the way you had suggested, but some how I am not able to work that out. I am not able to authenticate the users individually for my particular service.So I have implemented simple bind for now as per Kurt's suggestion for one service. Once it works, I will implement for other services too. (I am new to Openldap so my implemntation is going on slow.) Currently to reach my first milestone, I need to be able to bind to the server based on just one attribute in the Dn. For ex: ldapsearch -x -D "cn=Manager" -w password... and so on. I was under the impression I need to specify complete Dn everytime for the -D option, but the requirements given to me contain just one attribute. Is there a way to append the base dn by default, so then we can specify just the attribute while binding to the server?
Thanks in advance for the help. Prachi. --- TechnoSophos <[EMAIL PROTECTED]> wrote: > For our directory, I use a separate DN for binding. > That way, we don't > have to allow anonymous binding, but we also don't > have to use some > priv'ed account. > > Here is the basic idea: > > We have a user in the directory: > "cn=Auth,dc=comany,dc=com", and we > give that user permissions (via ACLs) to > authenticate other users. > > access to attr=userPassword > by .... (the usual lines) > by dn="cn=Auth,dc=company,dc=com" auth > by * none > > And I use a similar ACL for attributes that Auth may > need to search > for (cn, uid, etc). These attributes, though, need > read permissions > (not just auth). > > Then we can deny Auth from just about everything > else. > > Now, applications can bind as Auth, do searches for > the correct DN, > and then re-bind as that user. > > You'll have to tailor ACLs to your liking, but I > think this is the > sort of thing you have in mind, right? > > (Reading on, I see that Kurt suggests the > possibility of doing a > simple bind, where you bind directly as the DN that > you want to use. > In that case, there is no searching/re-binding step. > That's another > option, too -- maybe a faster one.) > > > On 6/14/06, Prachi Sonalkar > <[EMAIL PROTECTED]> wrote: > > Hi kurt, > > Thanks for the reply, and suggestions. > > > > Following up on the same issue, is it possible > that I > > can have more than one bind dns configured? > > Currently in slapd.conf, I have my rootdn as > > "cn=Manager, dc=company, dc=com". > > Can I add another dn that can be used for > > authentication? ex: cn=service1,dc=company,dc=com. > > The idea was that for each service if I have a > bind > > dn, that way users for that service identity can > > authenticate based on the service bind dn. I am > adding > > a service name attribute to each user entry. > > On the clients end, I am just using simple LDAP > > queries to get data from the server,no updations > > required. > > > > Thanking you in advance, > > Prachi Sonalkar. > > > > --- "Kurt D. Zeilenga" <[EMAIL PROTECTED]> wrote: > > > > > At 02:28 PM 6/12/2006, Prachi Sonalkar wrote: > > > >Hi all, > > > >I am currently setting up LDAP server user > > > Openldap, > > > >and I need to specify few bind dns, specific to > > > >various sevice applications in the > organization. > > > >I need to also set up a limit on number of bind > dn > > > >connections, > > > > > > I assume you want to limit the number of > connections > > > a particular authentication identity (or, maybe, > > > authorization identity) may have open to a > > > particular > > > server. At present, no such mechanism exists. > > > > > > >which I am not aware how to do (I tried > > > >to dig in through the Openldap FAQs) > > > >I tried to configure ldap.conf with bind dn and > > > bindpw > > > >values as follows: > > > >domain company.com > > > >server company.com:389 > > > >BASE dc=company,dc=com > > > >binddn "cn=service1,dc=company,dc=com" > > > >bindpw password > > > > > > domain, server, and bindpw are not valid > OpenLDAP > > > ldap.conf(5) directives. See ldap.conf(5) for > > > details. > > > > > > Anyways, OpenLDAP ldap.conf(5) provides defaults > for > > > the LDAP client library. As it seems to me that > you > > > are > > > looking for some server-side administrative > control, > > > I > > > do not see how this file could be relevant. > > > > > > >but the specified bind dn and password are not > > > >accepted to establish a bind to the LDAP > server. > > > > > > Given the above, that's not surprising. > > > > > > >The idea is to enable authorized services > establish > > > a > > > >persistent bind connection with the LDAP > server; > > > > > > Seems like you seek information about a > particular > > > directory application/client. If so, you should > > > do so on a list about that application/client. > > > > > > >and > > > >also limit the number of such bind connections > at > > > LDAP > > > >end. > > > > > > Regarding server limits, see above note. > > > > > > >Has someone tried this, and can suggest me what > is > > > >going wrong? > > > > > > > >Any help will be appreciated! > > > > > > > >Thanks, > > > >PS. > > > > > > > > > > > > > > > > >__________________________________________________ > > > >Do You Yahoo!? > > > >Tired of spam? Yahoo! Mail has the best spam > > > protection around > > > >http://mail.yahoo.com > > > > > > > > > > > > __________________________________________________ > > Do You Yahoo!? > > Tired of spam? Yahoo! Mail has the best spam > protection around > > http://mail.yahoo.com > > > __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com