some more errors
Toby Burress
kurin at delete.org
Thu Nov 20 19:01:54 UTC 2008
On Thu, Nov 20, 2008 at 05:40:03PM +0100, Dieter Kluenter wrote:
> Hi,
> now reading
> http://www.freebsd.org/doc/en/articles/ldap-auth/secure.html
>
> there are better ways to model this sort of access control (example 8
> and example 9) man slapd.access(5) describes a 'privilege model' that
> is more applicable. Your examples are not wrong but only state of the
> art in 1998, and OpenLDAP has been developed actively since then.
heh, you think that's bad, you should see the tree I inherited in
my current job.
I'll see if I can rework that section.
>
> The examaple 10 creating a management group, is absolutely bogus.
> The attribute type memberuid has syntax IA5string, but your example
> shows attribute values of distinguishedName syntax.
I believe that is a result of my understanding of the way pam_ldap
handled memberUid on FreeBSD. Basically, if you have a group, and
you only want members of that group to be able to auth via PAM, you
need the entire DN in that group's memberUid attributes. I show
this in 3.1.1 of the article.
More information about the freebsd-doc
mailing list