Visit Jeremy's Blog.
Go Back > Forums > Non-*NIX Forums > Programming
User Name
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.


  Search this Thread
Old 08-25-2004, 08:39 AM   #1
LQ Newbie
Registered: Jul 2004
Posts: 23

Rep: Reputation: 15
Ldap Authentication

I have a small technical problem in Ldap. I'm able to retreive all the attributes except userpassword from Ldap server. I have the following code.
access to *
by self write
by anonymous auth
by * read

what is wrong with above code.

Thanks in advance.
Old 08-25-2004, 10:00 AM   #2
Senior Member
Registered: Aug 2002
Location: Groningen, The Netherlands
Distribution: ubuntu
Posts: 2,530

Rep: Reputation: 110Reputation: 110
You are probably binding anonymously to the LDAP-server. userPassword's are special in that not everybody can read all userPassword attributes.

So, like you "code" says ("by anonymous auth"), you can only authenticate as a non-anonymous user to the LDAP-server. You will then be able to see your own (encrypted) userPassword. Only the LDAP-server's "root" (which can be any CN within your directory) can read all userPassword's. Such an account can be specified within slapd.conf with:
rootdn "cn=admin,dc=yourdomain"
rootpw = secret
or better, encrypt this special password with: slappasswd -h '{MD5}'
rootdn "cn=admin,dc=yourdomain"
rootpw = {MD5}Xr4ilOzQ4PCOq3aQ0qbuaQ==
You could probably configure access-rules to give everybody (maybe including anonymous users) read-access to the userPassword attributes, but that's certainly not recommended! (if at all possible).

I suggest these ACL's (Access Control List):
access to attribute=userPassword
        by dn="cn=admin,dc=nodomain" write
        by anonymous auth
        by self write
        by * none

access to *
        by dn="cn=admin,dc=nodomain" write
        by * read
and then not have the "rootdn" and "rootpw" lines in slapd.conf.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
ldap authentication goestin Linux - Networking 2 12-27-2005 11:27 AM
LDAP Authentication and su da_kidd_er Linux - Networking 1 12-27-2005 11:24 AM
ldap authentication box_l Mandriva 0 03-22-2004 03:24 AM
ldap cleartext authentication Clemente Linux - Software 0 09-18-2003 03:40 AM
LDAP Authentication Staceman Linux - Software 0 07-31-2003 08:14 AM

All times are GMT -5. The time now is 06:55 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration