|
| Installing And Configuring |
|
| Configure Your Directory |
Step | 4. | Grant read access of all attributes of the posix schema. |
|
| Ensure all users have read access to the posix attributes. |
|
| When using PAM_LDAP as your authentication method, users do not |
|
| need read access to the userPassword attribute since the authentication |
|
| is handled by the directory itself. Therefore, for better security, you can |
|
| remove read access to userPassword from ordinary users. |
Step | 5. | Configure anonymous access, if needed. If you do not configure a proxy |
|
| user, then the attributes of your name service data must be readable |
|
| anonymously. |
Step | 6. | Create a proxy user in the directory, if needed. |
|
| To create a proxy user with Netscape Directory Server for |
|
| the Netscape Console, Users and Groups tab, Create button. For |
|
| example, you might create a user uid=proxyuser,ou=Special |
|
| Users,o=hp.com. |
Step | 7. | Set access permissions for the proxy user, if configured. |
|
| Give the proxy user created above read permission for the posix account |
|
| attributes. |
With Netscape Directory Server, for example, the following ACI gives a proxy user permission to compare, read, and search all posix account attributes except the userPassword attribute:
aci: (target=”ldap:///o=hp.com”)(targetattr!=”userpassword”) (version 3.0; acl “Proxy userpassword read rights”;
allow (compare,read,search)
userdn = “ldap:///uid=proxyuser,ou=Special Users,o=hp.com”;)
Step 8. The default ACI of Netscape Directory Server 6.11 allows a user to change his own common attributes. But, for Netscape Directory Server
6.21or later, you need to set ACI that gives a user permission to change his own common attributes. By default, the Netscape Directory Server
6.21or later provides the following ACI named Enable self write for common attributes that gives a user permission to change his own common attributes:
aci: (targetattr = "carLicense description displayName facsimileTelephoneNumber homePhone homePostalAddress initials jpegPhoto labeledURL mail mobile pager photo postOfficeBox postalAddress postalCode preferredDeliveryMethod preferredLanguage registeredAddress roomNumber secretary seeAlso st street
Chapter 2 | 23 |