On Tue, 2005-03-15 at 14:10, Jon Roberts wrote: > This was just discussed, I know. > > OpenLDAP 2.2.23, BDB 4.2.52, FC3 > > Acls in slapd.conf: > > access to attr=userPassword > by self write > by anonymous auth > by * none This is the correct syntax. The last line is implicit and not necessary. Have you tried to restart slapd and perform your anonymous ldapsearch again? What happens if you: - remove the lines 'by self write' and 'by anonymous auth', - restart slapd - and perform your anonymous ldapsearch? > access to dn.subtree="ou=Anonymous,ou=Comments,ou=Expressions,o=mentata.com" > by dn="uid=annie,ou=Generic,ou=People,o=mentata.com" write > by * read > access to * > by * read > > I get: > > % ldapsearch -x -b 'ou=Generic,ou=People,o=mentata.com' '(uid=*)' > > # extended LDIF > # > # LDAPv3 > # base <ou=People,o=mentata.com> with scope sub > # filter: (uid=*) > # requesting: ALL > # > > # annie, Generic, People, mentata.com > dn: uid=annie,ou=Generic,ou=People,o=mentata.com > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > userPassword:: bm9ubmll > uid: annie > givenName: Annie > sn: Nonnie > cn: Annie Nonnie > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > Why is the (base64-encoded) password visible on an anonymous search with > these access control rules? >
Attachment:
signature.asc
Description: This is a digitally signed message part