[tpop3d-discuss] ldap virtual auth plugin : near release
Prune
prune at lecentre.net
Thu, 21 Feb 2002 15:16:43 +0100
--------------010909080104080304010605
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
re,
Chris Lightfoot wrote:
>On Thu, Feb 21, 2002 at 02:46:37PM +0100, Prune wrote:
> [...]
>
>>I subscribe this list 2 years ago. I'm not an ldap expert, I learn with
>>what I see and hear. Most of ldap implemented tools act as this :
>>
>>-> bind as a privileged user
>>or
>>-> bind anonymously
>>-> search for attribute
>>-> get result attributes
>> -> re-bind as user
>> or
>> -> compare userPassword with the one supplied by the user
>>
>>Some tools offer both, some do not...
>>I don't think there are a better way than another...
>>
>
>FWIW, the Apache auth_ldap appears to use the search/bind
>model. It seems like a reasonable idea to me (as a total
>LDAP neophyte), I suppose. It would be nice to implement
>both, I guess. I may look at doing that.
>
>Presumably you can set ACLs so that (say) the email
>address and name of a user are publically available, but
>another attribute -- a password hash, say -- is available
>only to the administrator and the user as whom the POP
>server binds to the server?
>
the fact is that I prefer not to allow anything to users account.
In my directory (but anybody can do as they want) only some special
users have acces to some attributes.
so :
-anonymous : nothing
-users : bind only
-special user 'tpop3d' : read on mail, password, maildrop....
As I said before, even if my host if protected from internet, I will not
allow anonymous users to have access to my list of users.
I will also not allow users to have access at theire informations.
maybe I'm paranoid, but this seems to be the most secure way.
Prune
--------------010909080104080304010605
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<html>
<head>
</head>
<body>
re,<br>
<br>
Chris Lightfoot wrote:<br>
<blockquote type="cite" cite="mid:20020221141303.GA16205@aquila.esc.cam.ac.uk">
<pre wrap="">On Thu, Feb 21, 2002 at 02:46:37PM +0100, Prune wrote:<br> [...]<br></pre>
<blockquote type="cite">
<pre wrap="">I subscribe this list 2 years ago. I'm not an ldap expert, I learn with <br>what I see and hear. Most of ldap implemented tools act as this :<br><br>-> bind as a privileged user<br>or <br>-> bind anonymously<br>-> search for attribute<br>-> get result attributes<br> -> re-bind as user<br> or<br> -> compare userPassword with the one supplied by the user<br><br>Some tools offer both, some do not...<br>I don't think there are a better way than another...<br></pre>
</blockquote>
<pre wrap=""><!----><br>FWIW, the Apache auth_ldap appears to use the search/bind<br>model. It seems like a reasonable idea to me (as a total<br>LDAP neophyte), I suppose. It would be nice to implement<br>both, I guess. I may look at doing that.<br><br>Presumably you can set ACLs so that (say) the email<br>address and name of a user are publically available, but<br>another attribute -- a password hash, say -- is available<br>only to the administrator and the user as whom the POP<br>server binds to the server?<br><br></pre>
</blockquote>
the fact is that I prefer not to allow anything to users account.<br>
In my directory (but anybody can do as they want) only some special users
have acces to some attributes.<br>
so :<br>
-anonymous : nothing<br>
-users : bind only<br>
-special user 'tpop3d' : read on mail, password, maildrop....<br>
<br>
As I said before, even if my host if protected from internet, I will not
allow anonymous users to have access to my list of users.<br>
I will also not allow users to have access at theire informations.<br>
maybe I'm paranoid, but this seems to be the most secure way.<br>
<br>
Prune<br>
</body>
</html>
--------------010909080104080304010605--