Date: Thu, 20 Nov 2008 21:40:53 +0100 From: "Dieter Kluenter" <dieter@dkluenter.de> To: Toby Burress <kurin@delete.org> Cc: freebsd-doc@freebsd.org Subject: Re: some more errors Message-ID: <87bpwa167e.fsf@rubin.l4b.de> In-Reply-To: <20081120185607.GB60958@lithium.delete.org> (Toby Burress's message of "Thu, 20 Nov 2008 13:56:07 -0500") References: <87iqqifj18.fsf@rubin.l4b.de> <20081120185607.GB60958@lithium.delete.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Toby Burress <kurin@delete.org> writes: > On Thu, Nov 20, 2008 at 05:40:03PM +0100, Dieter Kluenter wrote: >> Hi, >> now reading >> http://www.freebsd.org/doc/en/articles/ldap-auth/secure.html >>=20 >> there are better ways to model this sort of access control (example 8 >> and example 9) man slapd.access(5) describes a 'privilege model' that >> is more applicable. Your examples are not wrong but only state of the >> art in 1998, and OpenLDAP has been developed actively since then. > > heh, you think that's bad, you should see the tree I inherited in > my current job. I can imagine :-) > > I'll see if I can rework that section. This would be great. >> The examaple 10 creating a management group, is absolutely bogus. >> The attribute type memberuid has syntax IA5string, but your example >> shows attribute values of distinguishedName syntax. > > I believe that is a result of my understanding of the way pam_ldap > handled memberUid on FreeBSD. Basically, if you have a group, and > you only want members of that group to be able to auth via PAM, you > need the entire DN in that group's memberUid attributes. I show > this in 3.1.1 of the article. PAM can be configured to look either for groupOfNames member groupOfUniqueNames uniqueMember posixGroup memberUid All three attribute types have different syntaxes and values. Just as a request from my side, doen't use groupOfUniqueNames unless you have read and understood RFC-4517, section 3.3.21, and you really want to implement it. -Dieter --=20 Dieter Kl=C3=BCnter | Systemberatung http://www.dpunkt.de/buecher/2104.html sip: +49.180.1555.7770535 GPG Key ID:8EF7B6C6 53=C2=B008'09,95"N 10=C2=B008'02,42"E
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87bpwa167e.fsf>