[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Hiding userPassword and other attributes from anonymousLDAPclients (such as Eudora)
I just tried this out, and I'm getting strange effects.
I set up a test entry with user password "test".
If I do
ldapsearch -b searchbase "userpassword=*"
then I get indeed all entries with a password (without actually seeing the
password in the returned entries).
If I do
ldapsearch -b searchbase "userpassword=test"
I get nothing returned whatsoever.
Now this it's even more confusing!
Rudolf
At 06:47 PM 10/13/00 -0400, Patrick Timmons wrote:
>Hi again.
>
>I think there is a problem in having an acl that allows to search on the
>userpassword field especialy if the users can modify their password. You
could
>do a search like
>
> ldapsearch "userpassword=master"
>or ldapsearch "userpassword=god"
>
>and get the DN of all users with that password. Then you could login as
them and
>have access to private data.
>
>Am I right ?
>
>"Rudolf Nottrott, NCEAS" wrote:
>>
>> Thanks Patrick, for your examples.
>>
>> I did a lot of experimenting yesterday and found that the following works
>> for hiding the password, although I still don't really understand how:
>>
>> defaultaccess read
>> access to attr=userPassword
>> by * search
>>
>> access to * by self write
>>
>> Taken as plain English, "access to attr=userPassword" suggests the opposite
>> of hiding to me, but it hides the password alright.
>>
>> Still looking for something like a tutorial on this, or at least some
>> better explanation than the slapd config manual at
>> http://www.openldap.org/devel/admin/slapdconfig.html provides.
>>
>> Thanks,
>>
>> Rudolf
>>
>> At 10:23 AM 10/13/00 -0400, you wrote:
>> >Here's how you can do this:
>> >
>> >defaultaccess read
>> >access to attrs=userpassword
>> > by self write
>> > by * none
>> >
>> >That's for openldap v 1.2.x
>> >
>> >could be
>> >
>> >defaultaccess read
>> >access to attrs=userpassword
>> > by self write
>> > by * auth
>> >
>> >for openldap v 2.x. I'm not sure. I'm not using it yet. If you do not want
>> the
>> >users to be able to change their password, change the write for a read.
>> >
>> >P.Timmons
>> >
>> >"Rudolf Nottrott, NCEAS" wrote:
>> >>
>> >> Hello,
>> >>
>> >> I'm just getting into LDAP access control and I apologize if the
answer to
>> >> my question is obvious to most of you.
>> >>
>> >> I am trying to prevent anonymous LDAP client programs, such as
Eudora, from
>> >> seeing certain attributes. (Most importantly I don't want the
userPassword
>> >> attribute to be seen.) I'm guessing that this is done with the
>> >> defaultaccess control in slapd.conf, but haven't found any simple
>> >> explanation of the details of defaultaccess usage.
>> >>
>> >> Can defaultaccess be used to hide certain attributes from anonymous
client
>> >> such as Eudora? If not, how can it be done?
>> >>
>> >> Could you point me to a good explanation of the workings of
>> >> 'defaultaccess', perhaps a tutorial of some kind?
>> >>
>> >> Thanks for your help.
>> >>
>> >> Rudolf Nottrott
>> >> UCSB Santa Barbara
>> >
>> >--
>> >Patrick Timmons, service informatique
>> >
>
>--
>Patrick Timmons, service informatique
>