[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Assistance

To: "Joshua M. Miller" <joshua@itsecureadmin.com>
Subject: Re: ACL Assistance
From: Jeronimo Zucco <jczucco@ucs.br>
Date: Tue, 15 May 2007 13:26:34 -0300
Cc: openldap-software@openldap.org
In-reply-to: <4649D2C9.9030406@itsecureadmin.com>
References: <4649D2C9.9030406@itsecureadmin.com>
User-agent: Thunderbird 1.5.0.10 (X11/20070403)

Joshua M. Miller escreveu:

I'm running OpenLDAP 2.3.34 and am having trouble figuring out the ACLs. I have the following:
access  to attr=userPassword
        by self         write
        by anonymous    auth
        by *            none
access  to *
        by self         write
        by *            read
My intention is to allow everything but the userPassword attribute to be available to all users and have the userPassword attribute be available for authentication and password changes by each user (but only for each user).

The problem with the above ACL is that I am able to read all user's password hashes through an authenticated bind. What am I doing wrong?


Use this ACLs:

access to attrs=userPassword
       by self write
       by * auth

access to attrs=(put here your others attributes *except* userPassword)
       by self write
       by * read


--
Jeronimo Zucco
LPIC-1 Linux Professional Institute Certified
Núcleo de Processamento de Dados
Universidade de Caxias do Sul

http://jczucco.blogspot.com

References:
- ACL Assistance
  - From: "Joshua M. Miller" <joshua@itsecureadmin.com>

Prev by Date: Re: ACL Assistance
Next by Date: Re: ACL Assistance
Index(es):
- Chronological
- Thread