Hi, I''m very new to FDS, but I have succeeeded in getting it up and running on top of CentOS 4.4, and have populated it with a basic list of users and their details. I''ve even got SSL working properly. Now I''d like to open port 636 to the outside world to let my users see the address list etc while they are outside the LAN. However I don''t want anyone to bind anonymously to then pull out all the staff details - emails, phone numbers etc - so I''d like to prevent anonymous binds and make sure that all users authenticate before being allowed to access the data. Could some kind person point me at the docs/info in order to do that? I did find the "Require Client Authentication" check box but I believe that is something else - or am I wrong? -- Cheers, Tony
George Holbert
2007-May-14 22:19 UTC
Re: [Fedora-directory-users] disable anonymous binding
You will want to set up ACIs to allow the minimum necessary access. See: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html Be prepared for some trial-and-error experimentation to learn how to implement your intended access policy. Good luck! -- George Tony wrote:> Hi, > > I''m very new to FDS, but I have succeeeded in getting it up and > running on top of CentOS 4.4, and have populated it with a basic list > of users and their details. I''ve even got SSL working properly. Now > I''d like to open port 636 to the outside world to let my users see the > address list etc while they are outside the LAN. However I don''t want > anyone to bind anonymously to then pull out all the staff details - > emails, phone numbers etc - so I''d like to prevent anonymous binds and > make sure that all users authenticate before being allowed to access > the data. > > Could some kind person point me at the docs/info in order to do that? > I did find the "Require Client Authentication" check box but I believe > that is something else - or am I wrong? >
On 5/14/07, George Holbert <gholbert@broadcom.com> wrote:> You will want to set up ACIs to allow the minimum necessary access. > See: > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html > Be prepared for some trial-and-error experimentation to learn how to > implement your intended access policy.Ah- a little light reading- thank you! Cheers, Tony
Ankur Agarwal
2007-May-15 05:36 UTC
Re: [Fedora-directory-users] disable anonymous binding
Create an ldif file like this:
============== dn:dc=example,dc=com
changetype: modify
replace: aci
aci: (target
="ldap:///dc=example,dc=com")(targetattr="*")(version 3.0;
acl "Deny anonymous access"; deny (read, search, compare)
userdn="ldap:///anyone";)
==============
Then run ldapmodify command:
./ldapmodify -h <HostName> -p <Port> -D "cn=Directory
Manager" -w <Directory Manager password> -cvf <path to ldif
file>
This should disable anonymous binding.
Cheers,
Ankur
Tony <pthagonal@gmail.com> wrote:
Hi,
I''m very new to FDS, but I have succeeeded in getting it up and
running on top of CentOS 4.4, and have populated it with a basic list
of users and their details. I''ve even got SSL working properly. Now
I''d like to open port 636 to the outside world to let my users see the
address list etc while they are outside the LAN. However I don''t want
anyone to bind anonymously to then pull out all the staff details -
emails, phone numbers etc - so I''d like to prevent anonymous binds and
make sure that all users authenticate before being allowed to access
the data.
Could some kind person point me at the docs/info in order to do that?
I did find the "Require Client Authentication" check box but I believe
that is something else - or am I wrong?
--
Cheers,
Tony
--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users
---------------------------------
Yahoo! oneSearch: Finally, mobile search that gives answers, not web links.