Re: SASL / DIGEST-MD5

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Friday, March 14, 2003 5:28 PM +0100 Francois Beretti 
<francois.beretti@enatel.com> wrote:

> Le ven 14/03/2003 à 17:17, Quanah Gibson-Mount a écrit :
> > > I have to add "by anonymous search" in the third ACL to get it working
> > > And after that I can comment the first ACL without effect
> >
> > Yup.  If you want, and can figure out exactly what it information it is
> > wanting to look at, you can restrict this even more.  For us, any
> > incoming  connection needs access to the krb5PrincipalName attribute
> > (since we are  doing GSSAPI authentication for our applications), so I
> > have the line:
> >
> > access to attr=krb5PrincipalName,member
> >         by * search
>
> ok, but I believe that the information accessed by DIGEST-MD5 mechanism
> is the userPassword attribute, so I don't want it to be world readable
> :)
>
> Am I wrong ?

I would say that is correct. :) by * search does not give read access, so 
it isn't world readable if you grant search access.  There is a helpful 
explanation of the differing levels of permissions in the OpenLDAP 
administrator's guide.  See the section about Access Control, specifically 
Table 5.4.

--Quanah

--
Quanah Gibson-Mount
Senior Systems Administrator
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html