Re: ACLs - allowing a user to add a new attribute

[Andrew Findlay <andrew.findlay@skills-1st.co.uk>]

On Wed, Apr 14, 2010 at 04:00:26PM -0400, Matt Ingram wrote:

> access to attrs=userPassword
>      by 
> group/groupOfNames/member="cn=ldappers,ou=Apps,ou=Groups,ou=Accounts,dc=domain,dc=com" 
> write
>      by dn.children="ou=Admins,dc=domain,dc=com" write
>      by self write
>      by * auth
>
> trying to achieve write access for the ldappers group, children of the 
> Admins ou and self.  by self write should give a user the ability to change 
> their password, correct ? Is there a better ACL for what I'm trying to 
> achieve ?

You have indeed given those users the ability to change the password.
However, you have also given them the ability to *read* it (because
'write' includes 'read' in OpenLDAP ACLs). This is not usually necessary,
and even if the password is hashed it is good practice to prevent it
being read.

>> One comment I would make about your ACLs is that in several places you
>> are granting read access to userPassword. This is not usually
>> necessary nor is it a good idea. You need 'by * auth' access to permit
>> authentication, but only need to give '=w' access to those who need to
>> change passwords. Remember that the 'write' keyword includes read access.

If you replace 'write' with '=w' in the access statement above, you
will still give those users the ability to change the password but
they will not be able to read the existing password.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------