Hi, I''m very new to FDS, but I have succeeeded in getting it up and running on top of CentOS 4.4, and have populated it with a basic list of users and their details. I''ve even got SSL working properly. Now I''d like to open port 636 to the outside world to let my users see the address list etc while they are outside the LAN. However I don''t want anyone to bind anonymously to then pull out all the staff details - emails, phone numbers etc - so I''d like to prevent anonymous binds and make sure that all users authenticate before being allowed to access the data. Could some kind person point me at the docs/info in order to do that? I did find the "Require Client Authentication" check box but I believe that is something else - or am I wrong? -- Cheers, Tony
George Holbert
2007-May-14 22:19 UTC
Re: [Fedora-directory-users] disable anonymous binding
You will want to set up ACIs to allow the minimum necessary access. See: http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html Be prepared for some trial-and-error experimentation to learn how to implement your intended access policy. Good luck! -- George Tony wrote:> Hi, > > I''m very new to FDS, but I have succeeeded in getting it up and > running on top of CentOS 4.4, and have populated it with a basic list > of users and their details. I''ve even got SSL working properly. Now > I''d like to open port 636 to the outside world to let my users see the > address list etc while they are outside the LAN. However I don''t want > anyone to bind anonymously to then pull out all the staff details - > emails, phone numbers etc - so I''d like to prevent anonymous binds and > make sure that all users authenticate before being allowed to access > the data. > > Could some kind person point me at the docs/info in order to do that? > I did find the "Require Client Authentication" check box but I believe > that is something else - or am I wrong? >
On 5/14/07, George Holbert <gholbert@broadcom.com> wrote:> You will want to set up ACIs to allow the minimum necessary access. > See: > http://www.redhat.com/docs/manuals/dir-server/ag/7.1/acl.html > Be prepared for some trial-and-error experimentation to learn how to > implement your intended access policy.Ah- a little light reading- thank you! Cheers, Tony
Ankur Agarwal
2007-May-15 05:36 UTC
Re: [Fedora-directory-users] disable anonymous binding
Create an ldif file like this: ============== dn:dc=example,dc=com changetype: modify replace: aci aci: (target ="ldap:///dc=example,dc=com")(targetattr="*")(version 3.0; acl "Deny anonymous access"; deny (read, search, compare) userdn="ldap:///anyone";) ============== Then run ldapmodify command: ./ldapmodify -h <HostName> -p <Port> -D "cn=Directory Manager" -w <Directory Manager password> -cvf <path to ldif file> This should disable anonymous binding. Cheers, Ankur Tony <pthagonal@gmail.com> wrote: Hi, I''m very new to FDS, but I have succeeeded in getting it up and running on top of CentOS 4.4, and have populated it with a basic list of users and their details. I''ve even got SSL working properly. Now I''d like to open port 636 to the outside world to let my users see the address list etc while they are outside the LAN. However I don''t want anyone to bind anonymously to then pull out all the staff details - emails, phone numbers etc - so I''d like to prevent anonymous binds and make sure that all users authenticate before being allowed to access the data. Could some kind person point me at the docs/info in order to do that? I did find the "Require Client Authentication" check box but I believe that is something else - or am I wrong? -- Cheers, Tony -- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users --------------------------------- Yahoo! oneSearch: Finally, mobile search that gives answers, not web links.