You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@directory.apache.org by Tim Quinn <jp...@gmail.com> on 2007/03/22 00:43:44 UTC

[ApacheDS Authorization] Generic Bind User Config

I would like to create a non-privledged system user for other systems to do
authentication binds for centralized password management. I want to avoid
using anonymous binds to the server.

I only want this user to be able to bind and not have any browse / read /
modify / delete access to the directory.

Do I need to set up an Access Control Subentry to do this?

Any help is greatly appreciated.

;)

Re: [ApacheDS Authorization] Generic Bind User Config

Posted by Ersin Er <er...@gmail.com>.

On 3/24/07, Tim Quinn <jp...@gmail.com> wrote:
>
> On 3/21/07, Tim Quinn <jp...@gmail.com> wrote:
> >
> > I would like to create a non-privledged system user for other systems to
> > do authentication binds for centralized password management. I want to
> avoid
> > using anonymous binds to the server.
> >
> > I only want this user to be able to bind and not have any browse / read
> /
> > modify / delete access to the directory.
> >
> > Do I need to set up an Access Control Subentry to do this?
> >
> > Any help is greatly appreciated.
> >
> > ;)
> >
>
> I figured this one out and have gotten Authorization working correctly how
> I
> want. Looks like OOTB, any user can bind to any DN without requiring any
> ACI
> Authorization configuration as long as the user knows the complete DN to
> bind to. If the user requires search capability, then it may be necessary
> to
> configure Authorization.


Yes there is no restriction on bind for any user. However  you can arrange
the ACIs according to the bind level (strong, simple). We might add more
detailed bind rules to the ACIs later.

..TQ
>



-- 
Ersin

Re: [ApacheDS Authorization] Generic Bind User Config

Posted by Tim Quinn <jp...@gmail.com>.

On 3/21/07, Tim Quinn <jp...@gmail.com> wrote:
>
> I would like to create a non-privledged system user for other systems to
> do authentication binds for centralized password management. I want to avoid
> using anonymous binds to the server.
>
> I only want this user to be able to bind and not have any browse / read /
> modify / delete access to the directory.
>
> Do I need to set up an Access Control Subentry to do this?
>
> Any help is greatly appreciated.
>
> ;)
>

I figured this one out and have gotten Authorization working correctly how I
want. Looks like OOTB, any user can bind to any DN without requiring any ACI
Authorization configuration as long as the user knows the complete DN to
bind to. If the user requires search capability, then it may be necessary to
configure Authorization.

..TQ