Re: [tpop3d-discuss] ldap virtual auth plugin : near release

[Prune]

re,

Chris Lightfoot wrote:
> On Thu, Feb 21, 2002 at 02:46:37PM +0100, Prune wrote:
>     [...]
> > I subscribe this list 2 years ago. I'm not an ldap expert, I learn with 
> > what I see and hear. Most of ldap implemented tools act as this :
> >
> > -> bind as a privileged user
> > or  
> > -> bind anonymously
> > -> search for attribute
> > -> get result attributes
> >    -> re-bind as user
> >    or
> >    -> compare userPassword with the one supplied by the user
> >
> > Some tools offer both, some do not...
> > I don't think there are a better way than another...
> >     
>
> FWIW, the Apache auth_ldap appears to use the search/bind
> model. It seems like a reasonable idea to me (as a total
> LDAP neophyte), I suppose. It would be nice to implement
> both, I guess. I may look at doing that.
>
> Presumably you can set ACLs so that (say) the email
> address and name of a user are publically available, but
> another attribute -- a password hash, say -- is available
> only to the administrator and the user as whom the POP
> server binds to the server?
>
>     
the fact is that I prefer not to allow anything to users account.
In my directory (but anybody can do as they want) only some special users
have acces to some attributes.
so :
-anonymous : nothing
-users : bind only
-special user 'tpop3d' : read on mail, password, maildrop....
    
As I said before, even if my host if protected from internet, I will not
allow anonymous users to have access to my list of users.
I will also not allow users to have access at theire informations.
maybe I'm paranoid, but this seems to be the most secure way.
    
Prune