[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Restrict access to userPassword

To: lasted@xrs.net
Subject: Re: Restrict access to userPassword
From: Peter Marschall <peter@adpm.de>
Date: Tue, 5 Apr 2005 12:04:45 +0200
Cc: OpenLDAP-software@OpenLDAP.org
Content-disposition: inline
In-reply-to: <20050405071148.301EA37D3F@sitemail.everyone.net>
Organization: ADPM
References: <20050405071148.301EA37D3F@sitemail.everyone.net>
User-agent: KMail/1.7.2

Hi,

On Tuesday 05 April 2005 09:11, Johan A. wrote:
> I hope I'm on the right list now. but I have 2 computers with Fedora Core 3
> and the accompanying OpenLDAP tools. One of them is server and the other
> one is a client. I would like to set up the server so that users can use it
> to log in to the client but not see userPassword if they issue an
> ldapsearch. I've tried to accomplish this by inserting the following access
> statements in my slapd.conf:
>
> # rootdn can always read and write EVERYTHING!
> #access to attr=userPassword
> #       by dn="cn=Manager,dc=testldap,dc=com" write
> #       by self write
> #       by anonymous auth
> #       by * compare

You did not tell which version of OpenLDAP you use.
According to OpenLDAP 2.2's slapd.access man page the key word for attributes
is "attrs".

Please note:
* "by self write" allows the users to see their own password too.
   To prevent this use "by self =wx"
* "by * compare" allows anybody to compare anybody else's password
   with a given string. This may allow mailicous users to find out other
    user's passwords.

Peter
-- 
Peter Marschall
eMail: peter@adpm.de

Follow-Ups:
- Re: Restrict access to userPassword
  - From: Howard Chu <hyc@symas.com>

References:
- Restrict access to userPassword
  - From: "Johan A." <lasted@xrs.net>

Prev by Date: structure
Next by Date: Re: Restrict access to userPassword
Index(es):
- Chronological
- Thread