[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL Blacklist
> Thanks for the prompt reply, my version of openldap is 2.1.25 - I'm
> using groupOfNames and the entry
>
>
> access to attr=userPassword
> by
> group/groupOfNames/member="cn=sys_black_list,ou=sys,ou=groups,dc=mydomain,dc=com"
> none
> by users read
> by * auth
>
> access to *
> by * read
I think I had some ham slices on my eyes: the "by group=<> none
does not mathc, because before bind takes place, your user has
no identity. But the "by * none" matches it, so it gets read
permission on the password as well! You can't inhibit bind
(how could your DSA be of any use, otherwise?), simply use
"by group=<> none" to everything else, e.g.
access to attrs=userPassword
by * auth
access to *
by group=<blacklist dn> none
by users read
by * none
note the "by users read"; if you simply do "by * read", then unbound
users would have read privileges, while bound users in blacklist
would not. I guess the first thing blacklisted user would do is not
to auth any more!
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it