[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3446) ACL val clause ineffective with bind

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#3446) ACL val clause ineffective with bind
From: ando@sys-net.it
Date: Wed, 29 Dec 2004 13:09:06 GMT

> access to attr=userpassword val.regex=^[{]SMD5[}].*
>         by * none
>
> Rerun ldapsearch as above. The read is prohibited, but the bind is not.
>
> dn: cn=md5,o=University of Michigan,c=US
>
> is output. I would expect "Invalid credentials." I'd claim this to be an
> ACL
> processing bug.

In fact, back-bdb (as other storage backends do) doesn't pass the value f
the password attribute to the access checking utility.  I'd guess it's
intended, although I do not recall the reason.

I guess what you intend to do is to allow bind based on some hash
mechanism only.  I think this possibility should be considered, maybe
through a different mechanism

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Prev by Date: Re: RE : (ITS#3450) Modify RDN returns Naming Violation.
Next by Date: Re: back-meta hangs (ITS#3058)
Index(es):
- Chronological
- Thread