[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Hiding userPassword and other attributes from anonymousLDAPclients (such as Eudora)



Your access control is wrong!!


----- Original Message -----
From: "Rudolf Nottrott, NCEAS" <nottrott@nceas.ucsb.edu>
To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Cc: "Patrick Timmons" <ptimmons@courriel.polymtl.ca>; "Mike Coughlan"
<mcoughlan@gothambroadband.com>; "OpenLDAP-Software"
<openldap-software@OpenLDAP.org>; <nottrott@ulysses.nceas.ucsb.edu>
Sent: Friday, October 13, 2000 11:44 PM
Subject: Re: Hiding userPassword and other attributes from
anonymousLDAPclients (such as Eudora)


> I do have an entry with a clear text passoword entry that looks like this.
>
> userPassword: test
>
> And yet, nothing is returned if I do
>
> ldapsearch -b searchbase "userpassword=test"
>
> If I do
>
> ldapsearch -b searchbase "userpassword=*"
>
> I get the entry, plus others.
>
> Rudolf
>
> The entry is not returned if I do
> At 04:33 PM 10/13/00 -0700, Kurt D. Zeilenga wrote:
> >At 04:18 PM 10/13/00 -0700, Rudolf Nottrott, NCEAS wrote:
> >>I just tried this out, and I'm getting strange effects.
> >>I set up a test entry with user password "test".
> >>
> >>If I do
> >>
> >>ldapsearch -b searchbase "userpassword=*"
> >>
> >>then I get indeed all entries with a password (without actually seeing
the
> >>password in the returned entries).
> >
> >Yes, you granted permission to search by userPassword.
> >
> >
> >>If I do
> >>
> >>ldapsearch -b searchbase "userpassword=test"
> >>
> >>I get nothing returned whatsoever.
> >>
> >>Now this it's even more confusing!
> >
> >This implies none of the entries' userPassword value is "test".
> >You are asserting userPassword is "test", not password is "test".
> >That is, if userPassword is some value derived from "test"
> >(such as when hashed passwords are in use), then to get a match
> >you'd have to assert this derived value.
> >
> >Kurt
> >
>