Re: [Evolution] Evolution LDAP authentification

From: "Yatin Chawathe" <dummy chawathe com>
To: "Chris Toshok" <toshok ximian com>, "Vincent Frison" <turman ohmforce com>
Cc: <evolution ximian com>
Subject: Re: [Evolution] Evolution LDAP authentification
Date: Tue, 27 Nov 2001 09:52:28 -0800

Evolution does do authentication based on DNs, but the current

scheme

doesn't rely on the user typing in the DN (which most users would

rather

not remember)... So, we query on the email address they supply and

get

the DN for the matching entry, and authenticate based on that.  The

same

scheme that netscape uses (and I think OE, but I'm not completely
sure...)


OE actually uses the DN to find the matching entry for authentication.

There have been enough complaints from people that don't want to (or
can't) enable anonymous read access on their ldap servers and/or

want to

authenticate vs. entries that don't have email addresses though,

that

I'm thinking we'll need a way to allow the user to specify the raw

DN if

they need to.


It would be helpful to have two modes of operation: the "regular user"
mode where they type in their email address for authentication, and
the "advanced user" mode which expects the raw DN.

I have actually been able to configure my LDAP server with limited
anonymous read access (only some of the fields in the authentication
record are publicly readable).  Of course this works only if there are
just a handful of users that have authenticated access.  Here is the
relevant portion of my slapd.conf:

# Allow access to the Manager record only to the Manager
access to dn="cn=Manager,dc=chawathe,dc=com"
by self write
by * none

# Allow everyone to read enough fields of the authentication record(s)
# to initiate the authentication process
# Many email/LDAP clients perform authentication based on the value of
the
# "mail" entry in the authentication record. That's why they need read
# access to some of the entries in the record
access to dn="cn=Yatin Chawathe,dc=chawathe,dc=com"
attr=entry,dn,objectClass,cn,mail
by self write
by * read

# Everyone needs auth permission for the record(s) as well
# This allows enough permission to verify
# the client's password
access to dn="cn=Yatin Chawathe,dc=chawathe,dc=com"
by self write
by * auth

# Evo needs permission to read this to access the schema
access to dn="cn=Subschema"
by self write
by * read

# The default access permissions
access to *
by dn="cn=Manager,dc=chawathe,dc=com" write
by dn="cn=Yatin Chawathe,dc=chawathe,dc=com" write
by * none

Hope this helps,

Yatin

Follow-Ups:
- Re: [Evolution] Evolution LDAP authentification
  - From: Vincent Frison

References:
- [Evolution] Evolution LDAP authentification
  - From: Vincent Frison
- Re: [Evolution] Evolution LDAP authentification
  - From: Chris Toshok

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]