LDAP Bind and Authorization - WAS: Re: [SLUG] Querying an LDAP database

Thu, 25 Jan 2007 14:58:47 -0800 

Glen Turner wrote:


If you just want to check the password then attempt to
bind with the name and password provided 

This method is no guarantee that you are checking what you
are intending to check. In this case the password on the LDAP entry.

This method will check different passwords depending on the
slapd config.

When slapd is config'ed to use SASL/GSSAPI/Kerberos, LDAP
bind is not using the password item in the LDAP Entry but
rather it is using the password in the Kerberos Principal.



and then
check that the objectClass is what you expect (you
want a person, not a host or the multitude of other
objects a directory can hold).

  


This is not a separate check in LDAP bind, but rather integrated as part of
the -D parameter of your bind.


Don't forget to check authorisation after you've
done the authentication. Just because someone is
in your LDAP doesn't mean that are authorised
(eg, some person objects might be members of a
mailing list system which keeps its subscription
list in LDAP).

  


Authorization is a function of the application that use LDAP
Authentication.

For example, once a user has authenticated using LDAP to
access a file system like linux files, authorization is
determined by files/directories' permissions/uid/groupid
combinations to those files/directories.

Another example, once a user has authenticated to
access OpenAFS file system using LDAP, authorization is determined
by ACL(access control list in OpenAFS context) in the files and directories.


Another example, once a user has authenticated using LDAP to access 
Samba file

system, authorization is determined by Samba.

There are ACL(access control list in LDAP context) functionalities in LDAP
that are used to allocate specific services to users or group of users, but
these  ACL are processed transparently and simultaneously as  LDAP
user is authenticated not as an independent step after authentication. These
ACL are configured in slapd.

Hope this helps.

O Plameras
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html














    











					Reply via email to