[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd ACL to allow Password Modify exop by ldappasswd - but deny direct modification via ldapmodify

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: slapd ACL to allow Password Modify exop by ldappasswd - but deny direct modification via ldapmodify
From: Tim Watts <tw@dionic.net>
Date: Thu, 21 Feb 2013 12:04:12 +0000
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130106 Thunderbird/17.0.2

Hi,

I've been through google and the man pages - no avail. If anyone canhelp, I'd be very grateful :)


slapd.conf acl:

access to attrs=userPassword
        by peername.path="/var/run/slapd/ldapi" manage
        by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" manage
        by self write
        by * auth

This allows ldappasswd to work, but of course, it also allows anybody toissue an ldapmodify against their own record and store a weak hash (eg{crypt} ) or worse, bypass my check_password plugin policy enforcer.

Removing the "self write" line kills ldapmodify, but also seems to breakthe password modify exop issues by ldappasswd.

So - how do I allow ldappasswd to work (which respects the policies andallows the server to hash the password using its default hash - SSHA1 inmy case) whilst disallowing *direct* modify access to the userPassword:entry?


Answers on a postcard, or a wet herring as appropriate :-|

Many thanks!

Tim

--
Tim Watts
Personal Blog:                          http://squiddy.blog.dionic.net/

http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal coverage

Follow-Ups:
- Re: slapd ACL to allow Password Modify exop by ldappasswd - but deny direct modification via ldapmodify
  - From: Tim Watts <tw@dionic.net>

Prev by Date: Re: enabling logs in openLDAP
Next by Date: N-Way Multimaster with syncrepl and delta-repl -- slapd stops responding
Index(es):
- Chronological
- Thread