[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Hiding userPassword and other attributes from anonymousLDAPclients (such as Eudora)



Hi again.

I think there is a problem in having an acl that allows to search on the
userpassword field especialy if the users can modify their password. You could
do a search like

    ldapsearch "userpassword=master" 
or  ldapsearch "userpassword=god"

and get the DN of all users with that password. Then you could login as them and
have access to private data.

Am I right ?

"Rudolf Nottrott, NCEAS" wrote:
> 
> Thanks Patrick, for your examples.
> 
> I did a lot of experimenting yesterday and found that the following works
> for hiding the password, although I still don't really understand how:
> 
> defaultaccess read
> access to attr=userPassword
>     by * search
> 
> access to * by self write
> 
> Taken as plain English, "access to attr=userPassword" suggests the opposite
> of hiding to me, but it hides the password alright.
> 
> Still looking for something like a tutorial on this, or at least some
> better explanation than the slapd config manual at
> http://www.openldap.org/devel/admin/slapdconfig.html provides.
> 
> Thanks,
> 
> Rudolf
> 
> At 10:23 AM 10/13/00 -0400, you wrote:
> >Here's how you can do this:
> >
> >defaultaccess          read
> >access to attrs=userpassword
> >   by self             write
> >   by *                none
> >
> >That's for openldap v 1.2.x
> >
> >could be
> >
> >defaultaccess          read
> >access to attrs=userpassword
> >   by self             write
> >   by *                auth
> >
> >for openldap v 2.x. I'm not sure. I'm not using it yet. If you do not want
> the
> >users to be able to change their password, change the write for a read.
> >
> >P.Timmons
> >
> >"Rudolf Nottrott, NCEAS" wrote:
> >>
> >> Hello,
> >>
> >> I'm just getting into LDAP access control and I apologize if the answer to
> >> my question is obvious to most of you.
> >>
> >> I am trying to prevent anonymous LDAP client programs, such as Eudora, from
> >> seeing certain attributes.  (Most importantly I don't want the userPassword
> >> attribute to be seen.)  I'm guessing that this is done with the
> >> defaultaccess control in slapd.conf, but haven't found any simple
> >> explanation of the details of defaultaccess usage.
> >>
> >> Can defaultaccess be used to hide certain attributes from anonymous client
> >> such as Eudora?  If not, how can it be done?
> >>
> >> Could you point me to a good explanation of the workings of
> >> 'defaultaccess', perhaps a tutorial of some kind?
> >>
> >> Thanks for your help.
> >>
> >> Rudolf Nottrott
> >> UCSB Santa Barbara
> >
> >--
> >Patrick Timmons, service informatique
> >

-- 
Patrick Timmons, service informatique