Re: SASL / DIGEST-MD5

[Francois Beretti <francois.beretti@enatel.com>]

Le ven 14/03/2003 à 17:27, Quanah Gibson-Mount a écrit :
> > ok, but I believe that the information accessed by DIGEST-MD5 mechanism
> > is the userPassword attribute, so I don't want it to be world readable
> > :)
> >
> > Am I wrong ?
> 
> I would say that is correct. :) by * search does not give read access, so 
> it isn't world readable if you grant search access.  There is a helpful 
> explanation of the differing levels of permissions in the OpenLDAP 
> administrator's guide.  See the section about Access Control, specifically 
> Table 5.4.

yes, and I think I'm on the right way, thanks to your advice and the
logfile :)
with the following ACL it works :

access  to dn.base=""
        by * read

access  to *
        by dn.base="cn=root,dc=enatel,dc=local" write
        by * break

access  to dn=".*,ou=people,dc=enatel,dc=local" attr=objectClass
        by * search
        by * break

access  to dn=".*,ou=people,dc=enatel,dc=local"
        by self write
        by dn.base="cn=root,dc=enatel,dc=local" write
        by anonymous auth
        by * none

I just have to understand it, then to clean it :)

Francois Beretti


> 
> --Quanah
> 
> --
> Quanah Gibson-Mount
> Senior Systems Administrator
> ITSS/TSS/Computing Systems
> Stanford University
> GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
> 
>