[Date Prev][Date Next] [Chronological] [Thread] [Top]

Restrict access to userPassword

To: OpenLDAP-software@OpenLDAP.org
Subject: Restrict access to userPassword
From: "Johan A." <lasted@xrs.net>
Date: Tue, 5 Apr 2005 00:11:47 -0700 (PDT)
Content-disposition: inline

Hi,

I hope I'm on the right list now. but I have 2 computers with Fedora Core 3 and the accompanying OpenLDAP tools. One of them is server and the other one is a client. I would like to set up the server so that users can use it to log in to the client but not see userPassword if they issue an ldapsearch.
I've tried to accomplish this by inserting the following access statements in my slapd.conf:

# rootdn can always read and write EVERYTHING!
#access to attr=userPassword
#       by dn="cn=Manager,dc=testldap,dc=com" write
#       by self write
#       by anonymous auth
#       by * compare

access to attr=loginShell,shadowLastChange
        by dn="cn=Manager,dc=testldap,dc=com" write
        by self write
        by * read

access to *
        by dn="cn=Manager,dc=testldap,dc=com" write
        by self write
        by * read

If I use this as is the users can log in but also see userPassword. If I uncomment the first access statement the users can't login. 
So what am I missing here?

Johan


_____________________________________________________________
Xtreme Resource Services - For Free!
Get Your @xrs.net Mail at http://xrs.net/

Follow-Ups:
- Re: Restrict access to userPassword
  - From: Dave Horsfall <daveh@ci.com.au>
- Re: Restrict access to userPassword
  - From: Peter Marschall <peter@adpm.de>

Prev by Date: Re: inequality searches cause slapd to freeze
Next by Date: Re: using syncrepl for master slave relationship not working
Index(es):
- Chronological
- Thread