[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: userpassword permissions



I would guess that you have some other access controls in
your slapd.conf(5) file, or that you didn't restart the
server after modifying your slapd.conf(5) file, or your
slapd.conf(5) file is malformed in some way.

Kurt

At 11:10 AM 3/15/2005, Jon Roberts wrote:
>This was just discussed, I know.
>
>OpenLDAP 2.2.23, BDB 4.2.52, FC3
>
>Acls in slapd.conf:
>
>access to attr=userPassword
>    by self write
>    by anonymous auth
>    by * none
>access to dn.subtree="ou=Anonymous,ou=Comments,ou=Expressions,o=mentata.com"
>    by dn="uid=annie,ou=Generic,ou=People,o=mentata.com" write
>    by * read
>access to *
>    by * read
>
>I get:
>
>% ldapsearch -x -b 'ou=Generic,ou=People,o=mentata.com' '(uid=*)'
>
># extended LDIF
>#
># LDAPv3
># base <ou=People,o=mentata.com> with scope sub
># filter: (uid=*)
># requesting: ALL
>#
>
># annie, Generic, People, mentata.com
>dn: uid=annie,ou=Generic,ou=People,o=mentata.com
>objectClass: top
>objectClass: person
>objectClass: organizationalPerson
>objectClass: inetOrgPerson
>userPassword:: bm9ubmll
>uid: annie
>givenName: Annie
>sn: Nonnie
>cn: Annie Nonnie
>
># search result
>search: 2
>result: 0 Success
>
># numResponses: 2
># numEntries: 1
>
>Why is the (base64-encoded) password visible on an anonymous search with these access control rules?
>
>Jon Roberts
>www.mentata.com