It used to be that any user on the system could do a simple bind to the
LDAP server running on Mac OS X Server.
Recently I tried to use this technique in a PHP script to authenticate
users. I have found that the LDAP server now only allows users in the
'admin' group to bind -- all others receive an Invalid Credentials
message. This is a problem for scripts which rely on a successful bind
to authenticate a user, because now only admin users can access the
script. Peter Zingg posted about a week ago on this same topic.
Testing with /usr/bin/ldapsearch confirms the problem: anonymous binds
are allowed (ie, you can bind to the LDAP server without specifying a DN
or password to bind as); users in the 'admin' group may bind (ie, you
can bind to the LDAP server with DN uid=admin,cn=users,dc=domain,dc=tld
and the relevant password); but regular non-admin users may not bind.
Recursively grepping the /etc/openldap directory for terms such as
'admin' and 'group' doesn't reveal anything interesting. I've read the
ACL documentation for OpenLDAP and it doesn't look like Apple's config
is doing anything in the ACLs to disallow binding by non-admin users.
Google, kbase.apple and discuss.apple don't seem to know much about it
either.
Any help on this would be much appreciated! How can I reconfigure slapd
on Mac OS X Server 10.3.3 to allow any valid user to bind?
Many thanks
James
--
James Tolchard
ICT Services
Christ's College Canterbury
DDI: +64-3-364-6806
"Never attribute to malice that which can be adequately explained by
stupidity." - Hanlon's Razor
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
This email sent to email@hidden
