[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Hiding userPassword and other attributes from anonymousLDAPclients (such as Eudora)



At 04:18 PM 10/13/00 -0700, Rudolf Nottrott, NCEAS wrote:
>I just tried this out, and I'm getting strange effects.  
>I set up a test entry with user password "test". 
>
>If I do 
>
>ldapsearch -b searchbase "userpassword=*"
>
>then I get indeed all entries with a password (without actually seeing the
>password in the returned entries).  

Yes, you granted permission to search by userPassword.


>If I do 
>
>ldapsearch -b searchbase "userpassword=test" 
>
>I get nothing returned whatsoever.  
>
>Now this it's even more confusing!

This implies none of the entries' userPassword value is "test".
You are asserting userPassword is "test", not password is "test".
That is, if userPassword is some value derived from "test"
(such as when hashed passwords are in use), then to get a match
you'd have to assert this derived value.

Kurt