[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: acl's and the userpassword field
At 11:22 AM 10/22/99 -0400, Seth Vidal wrote:
>I'm trying restrict searches so that the userpassword entry is not
>readable by users who are not self or rootdn
>
>here are my acl's
>defaultaccess read
>access to dn=".*, dc=phy,dc=duke,dc=edu" attr=userpassword
^
That space will cause this access directive to never be applicable.
Remove it.
> by self write
> by dn="cn=managaer, dc=phy,dc=duke,dc=edu" write
^
Likewise with this by clause. Also, check spelling of 'managaer'.
> by * compare
>does this make any sense?
After fixing the above errors, I suggest:
1) using a defaultaccess none directive
2) disallowing compare of userpassword to all
>it seemed consistent - I've toggled the by * compare to none but no luck
compare effects LDAP compare operations, not LDAP bind operations.
I generally recommend something like:
access to attr=userPassword
by self write
by dn="cn=manager,dc=sld,dc=tld"
by * none
----
Kurt D. Zeilenga <Kurt@OpenLDAP.org>
OpenLDAP Project <http://www.OpenLDAP.org/>