Re: Password Access Control does not work as expected

[Martin Konold <martin.konold@erfrakon.de>]

Am Tuesday 27 April 2004 02:58 pm schrieben Sie:

Hello Frank,

Thanks for your help!

> > access to attr=userPassword
> >         by group="cn=admin,base_dn" write
> >         by group="cn=maintainer,base_dn" write
> >         by self write
> >         by anonymous auth
> >         by * none stop
> >
> > To my surprise the admin and maintainer users are able to _read_ the
> > userPassword attribute. I expect that users are able to authenticate and
> > to set the password but nobody is allowed to read the password.
>
> Why did it surprise you?

Because I followed blindly the UserPassword example in the Admin Guide 
(Chapter 5.4) without reading and understanding every other chapter ;-)

(the example allows the administrator to read the password of an user)

> You did read the slapd.access man page and the 
> administrators guide before you started didn't you?  They both tell you
> that all accesses include lower level accesses, therefore write includes
> read, auth, search, and compare.

I changed it now to:
access to attr=userPassword
        by group="cn=admin,dc=com" =wx
        by group="cn=maintainer,dc=com" =wx
        by self =wx
        by anonymous =x
        by * none stop

and it works as expected.

Regards,
-- martin

Dipl.-Phys. Martin Konold

e r f r a k o n
Erlewein, Frank, Konold & Partner - Beratende Ingenieure und Physiker
Nobelstrasse 15, 70569 Stuttgart, Germany
fon: 0711 67400963, fax: 0711 67400959
email: martin.konold@erfrakon.de