[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Getting LDAP and SASL (digest-md5) to play nice



Rick Stevens wrote:
Howard Chu wrote:
            by dn="cn=manager,dc=gbsbilling,dc=com" write
            by dn="cn=manager,ou=aliases,dc=gbsbilling,dc=com" write
            by anonymous auth
            by self write
            by * none

Pay attention to what you're doing.

Yeah, I know. I've been editing the heck out of these files and some of the cut and paste stuff got hosed.

Without really testing it your ACL looks bogus to me.

At the end it should be something like
   [..]
   by dn="cn=manager,ou=aliases,dc=gbsbilling,dc=com" write
   by self write
   by * auth

Anyway I would make the userPassword attribute write-only. Example:

access to attrs=userPassword
  by group="cn=Password Admins,ou=Groups,dc=stroeder,dc=local" =wx
  by self =wx
  by * =x

Also take note of http://www.openldap.org/its/index.cgi?findid=5400 when running with OpenLDAP 2.4.x.

Ciao, Michael.