[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acl's and the userpassword field

To: Seth Vidal <skvidal@phy.duke.edu>
Subject: Re: acl's and the userpassword field
From: "Kurt D. Zeilenga" <kurt@OpenLDAP.org>
Date: Fri, 22 Oct 1999 10:09:15 -0700
Cc: openldap-software@OpenLDAP.org
In-reply-to: <Pine.LNX.4.10.9910221119410.18573-100000@roma.phy.duke.edu >

At 11:22 AM 10/22/99 -0400, Seth Vidal wrote:
>I'm trying restrict searches so that the userpassword entry is not
>readable by users who are not self or rootdn
>
>here are my acl's
>defaultaccess   read
>access  to dn=".*, dc=phy,dc=duke,dc=edu"  attr=userpassword
                   ^

That space will cause this access directive to never be applicable.
Remove it.

>        by self         write
>        by dn="cn=managaer, dc=phy,dc=duke,dc=edu" write
                            ^

Likewise with this by clause.  Also, check spelling of 'managaer'.

>        by *            compare

>does this make any sense?

After fixing the above errors, I suggest:
	1) using a defaultaccess none directive
	2) disallowing compare of userpassword to all

>it seemed consistent - I've toggled the by * compare to none but no luck

compare effects LDAP compare operations, not LDAP bind operations.
I generally recommend something like:

access to attr=userPassword
	by self write
	by dn="cn=manager,dc=sld,dc=tld"
	by * none


----
Kurt D. Zeilenga <Kurt@OpenLDAP.org>
OpenLDAP Project <http://www.OpenLDAP.org/>

Follow-Ups:
- Re: acl's and the userpassword field
  - From: Seth Vidal <skvidal@phy.duke.edu>

Prev by Date: Re: des_encrypt
Next by Date: Re: acl's and the userpassword field
Index(es):
- Chronological
- Thread