[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Getting LDAP and SASL (digest-md5) to play nice
Rick Stevens wrote:
Howard Chu wrote:
by dn="cn=manager,dc=gbsbilling,dc=com" write
by dn="cn=manager,ou=aliases,dc=gbsbilling,dc=com" write
by anonymous auth
by self write
by * none
Pay attention to what you're doing.
Yeah, I know. I've been editing the heck out of these files and some of
the cut and paste stuff got hosed.
Without really testing it your ACL looks bogus to me.
At the end it should be something like
[..]
by dn="cn=manager,ou=aliases,dc=gbsbilling,dc=com" write
by self write
by * auth
Anyway I would make the userPassword attribute write-only. Example:
access to attrs=userPassword
by group="cn=Password Admins,ou=Groups,dc=stroeder,dc=local" =wx
by self =wx
by * =x
Also take note of http://www.openldap.org/its/index.cgi?findid=5400 when
running with OpenLDAP 2.4.x.
Ciao, Michael.