[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: ldapcompare



Title: RE: ldapcompare

Sorry, it was actually returning '50 - insufficient access', which is what I would expect, and I was interpreting the result wrong.

I'll do some more investigation, but it appears to be working correctly.

-----Original Message-----
From: Jeff Costlow
Sent: Friday, January 25, 2002 5:09 PM
To: 'openldap-software@openldap.org'
Subject: ldapcompare


Taking a hint from the TODO list, I ended up hacking out parts of ldapsearch and creating ldapcompare.
I can submit it, but I have a question first.
I have an access rule setup in slapd.conf so that users can't see the userPassword attribute unless they are authenticated and they are over an encrypted channel (or on localhost):

access to dn="ou=People,dc=f5,dc=com" attr=userPassword
        by self ssf=128 write
        by self peername="IP=127\.0\.0\.1" write
        by anonymous auth
        by * none
So I did a compare:
ldapcompare -D "uid=costlow,ou=People,dc=f5,dc=com" -W -x "uid=costlow,ou=People,dc=f5,dc=com" userPassword "{CRYPT}$1$asdfj$laksjdlfja"

TRUE
The above is correct, from localhost I authenticated and then was allowed to compare the userpassword value that was stored.

But when I did this:
ldapcompare "uid=costlow,ou=People,dc=f5,dc=com" userPassword "{CRYPT}$1$asdfj$laksjdlfja"
TRUE
(I even did this on a host that wasn't localhost without using -ZZ)
 
Seems to me like the compare in this case should not work, because I wasn't authenticated.  Shouldn't that 'by * none' that's in there mean that I can't even do a compare?  At least the 'by anonymous auth'?  Maybe I am misunderstanding how the access rules work.