Current versions of slapd(8) requires that clients have authentication permission to attribute types used for authentication purposes before accessing them to perform the bind operation. As all bind operations are done
anonymously (regardless of previous bind succuss), the auth
access must be granted to anonymous.
In the example ACL below grants the following access:
- to anonymous users:
- permission to authenticate using values of
userPassword
- to authenticated users:
- permission to update (but not read) their userPassword
- permission to read any object excepting values of userPassword
All other access is denied.
access to attr=userpassword
by self =w
by anonymous auth
access *
by self write
by users read
|