Tuesday, December 21, 2021

[389-users] Re: Permission to let a user be used in authentication for other applications

Hi Denis,

The answer depend on the application ( typically how it determines the user DN and what it checks and what type of authentication it uses)

The absolute minimum for simple authentication is to have an userpassword attribute. 
   so any entry with an objectclass allowing userpassword is fine.
       (typically those having "simpleSecurityObject" objectclass or those derived from "person" objeclass) 
That is enough for applications like ldasearch or ldapmodify that do not do any other check than trying to authenticate to the ldap server.

But some application have more strict requirement  (typically looking for specific objectclass)
For example Unix/Linux authentication over LDAP requires entries with "posixAccount"
other applications looks for "person" or "inetorgperson" ...


On Tue, Dec 21, 2021 at 2:28 PM Denis Morejon <denis.morejon@etecsa.cu> wrote:

I have just installed a 389ds. I can use "cn=Directory Manager" in other
application's configuration when setting them up to authenticate with
ldap, but I can't use another ldap user created. How can I set
permission for user to do that? Or what kind of attribute should the
user has?

Thanks in advance
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure


389 Directory Server Development Team

No comments:

Post a Comment