Re: access control puzzlement

["Eric S. Johansson" <esj@harvee.billerica.ma.us>]

if we do this right, we'll build an ACL tutorial :-) I'm more than willing
to play the ignorant student...

At 07:43 PM 5/11/99 , Alan Sparks wrote:
>I believe what you may be looking for is to create an access control rule
>like:
>
>access to attr=userpassword
> by self write
> by * compare
>
>access to *
> by self write
> by * read
>
>and add userpassword attributes to the various entries (like people entries,
>for instance).  The "by self" clauses kick in when a client binds to a
>specific DN (not the null DN as an anonymous connection does), and the
>server uses the userpassword attribute as password.  The above ACLs allow
>attribute changes only by the user who successfully bound to a specific DN.

for example: if a client binds to dn: ou=Garnet,ou=jewelry,ou=store, the
expectation is that Garnet is a node with the attribute userpassword and
that password is used as part of the authentication for
changing/reading/comparing attributes in that dn.  Correct?


>The first rule is to make sure that people browsing the directory don't see
>other's passwords.

that's a good thing to point out.  It's obvious to anyone with any security
experience but it's not obvious to all.
Eric S Johansson	esj@inguide.com	  esj@harvee.billerica.ma.us
This message was composed almost entirely by NaturallySpeaking.