On Mon, Sep 08, 2003 at 10:29:52PM +0200, Robert Kehl wrote:
Am Mon, 2003-09-08 um 20.13 schrieb Martin Edenhofer:
BTW: Authenticated Users do have self write-permission on their password field in LDAP
It's wanted. Because there should be no way (IMO) for other applications to write into your LDAP. It's critical, beause some time you will get an inconsistent directory if each application is writting into your directory.
Could you explain that a little bit more? In my eyes LDAP is fully multi-user capable, as it's widely used in Lunixish environments for user authentication. I personally use it for a PAM-based LDAP authentication and addressbook management, as well as for SMTP server configuration. I am completely relying on LDAP. In other words, passwords are stored nowhere else and (nearly) parallel write should be allowed (addressbooks).
What I mean is, if you have 10 applications which are writing to your LDAP tree, the you will get an inconsistent LDAP tree (different objects, different attributes, ...). So normally just one or two applications should have write acces to you LDAP tree (IMO).
Robert Kehl
Martin -- Martin Edenhofer - <martin at edenhofer.de> - http://martin.edenhofer.de/ -- Perfection is our goal, excellence will be tolerated. -- J. Yahl