pam_ldap & binddn

[Christos Ricudis]

Antonis Christofides wrote:
> Απ' ό,τι κατάλαβα, ο λόγος για τον οποίο γίνεται όλη αυτή η ιστορία
> με τον proxy user είναι ότι ο client δεν ξέρει το dn του χρήστη.  Θα
> μου φαινόταν απλούστερο και ασφαλέστερο αν αντί να ορίζω proxy user
> όριζα κανόνες με τους οποίους ο client να δημιουργεί το dn.  Για
> παράδειγμα:
>
> BINDDN='uid=$USERNAME,dc=triakilakodika,dc=gr'
>   

Ayto 8a proype8ete flat domh sto dentro, pragma poy ligo poly katargei 
olo to nohma tou LDAP.  Prepei na mporei na kanei authenticate enas user 
se opoiodhpote klari tou dentrou ki an ka8etai, xwris na to ksereis ek 
twn proterwn.

Genika to LDAP dentro 8ewreis oti periexei public information kai tou 
feresai etsi. Ta ACLs prepei na einai ry8mismena wste enas anonymous 
user h akoma kai enas authenticated non-administrative user na mhn exei 
prosbash se sensitive plhroforia (user passwords h ta kerberos 
principals pou legame prin).

To problhma me to LDAP einai oti DEN einai sxediasmeno na kanei 
authentication. Einai sxediasmeno na koubalaei personal information se 
mia ierarxikh domh. O Kerberos einai sxediasmenos na kanei 
authentication. Alla epeidh ws gnwston to IT leitourgei me th logikh 
"twra pou brhkame papa as sfaksoume pent'eksi", to sxhma "xrhsimopoioume 
to bind mechanism tou LDAP ws authentication method gia ekswterikh 
pistopoihsh" exei katalhksei na einai poly synh8ismeno. Einai akribws to 
idio omorfo me to sxhma "xrhsimopoioume gia authentication ton IMAP 
server" kai diafora alla paromoia poy kykloforoun eley8era ekei eksw tis 
skoteines nyxtes sto dasos.

-- 
Christos Ricudis				ricudis at itc.auth.gr
Systems Administrator				+30-2310-998656
IT Support Center
Aristotle University of Thessaloniki, GREECE