[SAC] Anonymous and authenticated binding to the LDAP

Shawn,

After our firewall issues were fixed, I have been able to get our LDAP setup to allow anonymous authentication so that we do not have to have our cn=Manager binding throughout our setup.

I enabled these permissions on the LDAP:

access to attr=userPassword
         by self write
         by anonymous auth
         by users read

access to *
         by self write
         by users read
         by anonymous auth

This allows our authentication and HTTPAuth blocks to be as simple as (this is GDAL's Trac on test.osgeo.org):

    <Location "/gdal/login">
      AuthType Basic
      AuthName "GDAL Trac"
      AuthLDAPURL ldap://66.223.95.242:389/ou=people,dc=osgeo,dc=org?uid?sub?(objectClass=*)
      require group cn=gdal,ou=svn,dc=osgeo,dc=org
    </Location>

Can you confirm that I didn't just open up our LDAP to read/write to the entire world and that this looks ok?

Thanks

Howard

Check that, only these permissions seem to work:

access to *
        by self write
        by users read
        by anonymous auth

Howard

On Feb 10, 2007, at 1:48 PM, Howard Butler wrote:

Shawn,

After our firewall issues were fixed, I have been able to get our LDAP setup to allow anonymous authentication so that we do not have to have our cn=Manager binding throughout our setup.

I enabled these permissions on the LDAP:

access to attr=userPassword
        by self write
        by anonymous auth
        by users read

access to *
        by self write
        by users read
        by anonymous auth

This allows our authentication and HTTPAuth blocks to be as simple as (this is GDAL's Trac on test.osgeo.org):

    <Location "/gdal/login">
      AuthType Basic
      AuthName "GDAL Trac"
      AuthLDAPURL ldap://66.223.95.242:389/ou=people,dc=osgeo,dc=org?uid?sub?(objectClass=*)
      require group cn=gdal,ou=svn,dc=osgeo,dc=org
    </Location>

Can you confirm that I didn't just open up our LDAP to read/write to the entire world and that this looks ok?

Thanks

Howard