[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Hiding userPassword and other attributes from anonymousLDAPclients (such as Eudora)
No, I don't think you are right. I use
access to attr=userPassword by * auth
by * none
access to *
by self write
by anonymous auth
by * read
It works for me.
----- Original Message -----
From: "Patrick Timmons" <ptimmons@courriel.polymtl.ca>
To: "Rudolf Nottrott, NCEAS" <nottrott@nceas.ucsb.edu>
Cc: "Mike Coughlan" <mcoughlan@gothambroadband.com>; "OpenLDAP-Software"
<openldap-software@OpenLDAP.org>; <nottrott@ulysses.nceas.ucsb.edu>
Sent: Friday, October 13, 2000 10:47 PM
Subject: Re: Hiding userPassword and other attributes from
anonymousLDAPclients (such as Eudora)
> Hi again.
>
> I think there is a problem in having an acl that allows to search on the
> userpassword field especialy if the users can modify their password. You
could
> do a search like
>
> ldapsearch "userpassword=master"
> or ldapsearch "userpassword=god"
>
> and get the DN of all users with that password. Then you could login as
them and
> have access to private data.
>
> Am I right ?
>
> "Rudolf Nottrott, NCEAS" wrote:
> >
> > Thanks Patrick, for your examples.
> >
> > I did a lot of experimenting yesterday and found that the following
works
> > for hiding the password, although I still don't really understand how:
> >
> > defaultaccess read
> > access to attr=userPassword
> > by * search
> >
> > access to * by self write
> >
> > Taken as plain English, "access to attr=userPassword" suggests the
opposite
> > of hiding to me, but it hides the password alright.
> >
> > Still looking for something like a tutorial on this, or at least some
> > better explanation than the slapd config manual at
> > http://www.openldap.org/devel/admin/slapdconfig.html provides.
> >
> > Thanks,
> >
> > Rudolf
> >
> > At 10:23 AM 10/13/00 -0400, you wrote:
> > >Here's how you can do this:
> > >
> > >defaultaccess read
> > >access to attrs=userpassword
> > > by self write
> > > by * none
> > >
> > >That's for openldap v 1.2.x
> > >
> > >could be
> > >
> > >defaultaccess read
> > >access to attrs=userpassword
> > > by self write
> > > by * auth
> > >
> > >for openldap v 2.x. I'm not sure. I'm not using it yet. If you do not
want
> > the
> > >users to be able to change their password, change the write for a read.
> > >
> > >P.Timmons
> > >
> > >"Rudolf Nottrott, NCEAS" wrote:
> > >>
> > >> Hello,
> > >>
> > >> I'm just getting into LDAP access control and I apologize if the
answer to
> > >> my question is obvious to most of you.
> > >>
> > >> I am trying to prevent anonymous LDAP client programs, such as
Eudora, from
> > >> seeing certain attributes. (Most importantly I don't want the
userPassword
> > >> attribute to be seen.) I'm guessing that this is done with the
> > >> defaultaccess control in slapd.conf, but haven't found any simple
> > >> explanation of the details of defaultaccess usage.
> > >>
> > >> Can defaultaccess be used to hide certain attributes from anonymous
client
> > >> such as Eudora? If not, how can it be done?
> > >>
> > >> Could you point me to a good explanation of the workings of
> > >> 'defaultaccess', perhaps a tutorial of some kind?
> > >>
> > >> Thanks for your help.
> > >>
> > >> Rudolf Nottrott
> > >> UCSB Santa Barbara
> > >
> > >--
> > >Patrick Timmons, service informatique
> > >
>
> --
> Patrick Timmons, service informatique
>