Re: Getting LDAP and SASL (digest-md5) to play nice

[Michael Ströder <michael@stroeder.com>]

Rick Stevens wrote:
> Howard Chu wrote:
> > >             by dn="cn=manager,dc=gbsbilling,dc=com" write
> > >             by dn="cn=manager,ou=aliases,dc=gbsbilling,dc=com" write
> > >             by anonymous auth
> > >             by self write
> > >             by * none
> >
> > Pay attention to what you're doing.
>
> Yeah, I know.  I've been editing the heck out of these files and some of
> the cut and paste stuff got hosed.

Without really testing it your ACL looks bogus to me.

At the end it should be something like
   [..]
   by dn="cn=manager,ou=aliases,dc=gbsbilling,dc=com" write
   by self write
   by * auth

Anyway I would make the userPassword attribute write-only. Example:

access to attrs=userPassword
  by group="cn=Password Admins,ou=Groups,dc=stroeder,dc=local" =wx
  by self =wx
  by * =x

Also take note of http://www.openldap.org/its/index.cgi?findid=5400 when 
running with OpenLDAP 2.4.x.

Ciao, Michael.