[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Password Access Control does not work as expected

To: openldap-software@OpenLDAP.org
Subject: Re: Password Access Control does not work as expected
From: Stephan Siano <stephan.siano@suse.de>
Date: Tue, 27 Apr 2004 15:58:17 +0200
In-reply-to: <200404271403.35864.martin.konold@erfrakon.de>
References: <200404271403.35864.martin.konold@erfrakon.de>
User-agent: Mozilla/5.0 (X11; U; Linux i686; de-AT; rv:1.4.2) Gecko/20040220

Martin Konold wrote:

Hi,
I am putting the following as the first entry in slapd.conf:
access to attr=userPassword
        by group="cn=admin,base_dn" write
        by group="cn=maintainer,base_dn" write
        by self write
        by anonymous auth
        by * none stop
To my surprise the admin and maintainer users are able to _read_ the userPassword attribute. I expect that users are able to authenticate and to set the password but nobody is allowed to read the password.
(Tested with multiple versions of OpenLDAP incl. 2.1.12)
Is this a known issue?


See man slapd.access

write includes all other privileges. you probably want =wx

Yours
Stephan Siano

--
----------------------------------------------------------------------
Dr. Stephan Siano, Consultant
SUSE LINUX AG, Mergenthalerallee 45-47, D-65760 Eschborn
T: +49 (0) 6196 5095131
F: +49 (0) 6196 409607    - stephan.siano@suse.com
----------------------------------------------------------------------

References:
- Password Access Control does not work as expected
  - From: Martin Konold <martin.konold@erfrakon.de>

Prev by Date: Re: Access list problem
Next by Date: Re: Access list problem
Index(es):
- Chronological
- Thread