[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: userpassword permissions



I think "attr=userPassword" would be a search filter.
"attrs=userPassword" would be an attribute list.  Try adding the 's',
and maybe that'll work,

-Matt
On Tue, 2005-03-15 at 13:10 -0600, Jon Roberts wrote:
> This was just discussed, I know.
> 
> OpenLDAP 2.2.23, BDB 4.2.52, FC3
> 
> Acls in slapd.conf:
> 
> access to attr=userPassword
>      by self write
>      by anonymous auth
>      by * none
> access to dn.subtree="ou=Anonymous,ou=Comments,ou=Expressions,o=mentata.com"
>      by dn="uid=annie,ou=Generic,ou=People,o=mentata.com" write
>      by * read
> access to *
>      by * read
> 
> I get:
> 
> % ldapsearch -x -b 'ou=Generic,ou=People,o=mentata.com' '(uid=*)'
> 
> # extended LDIF
> #
> # LDAPv3
> # base <ou=People,o=mentata.com> with scope sub
> # filter: (uid=*)
> # requesting: ALL
> #
> 
> # annie, Generic, People, mentata.com
> dn: uid=annie,ou=Generic,ou=People,o=mentata.com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> userPassword:: bm9ubmll
> uid: annie
> givenName: Annie
> sn: Nonnie
> cn: Annie Nonnie
> 
> # search result
> search: 2
> result: 0 Success
> 
> # numResponses: 2
> # numEntries: 1
> 
> Why is the (base64-encoded) password visible on an anonymous search with 
> these access control rules?
> 
> Jon Roberts
> www.mentata.com
Matthew J. Smith
University of Connecticut ITS
This message sent at Tue Mar 15 14:58:45 2005
PGP Key: http://web.uconn.edu/dotmatt/matt.asc

Attachment: signature.asc
Description: This is a digitally signed message part